Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service
From: Paul Carter (pacman128_at_gmail.com)
Date: 07/20/05
- Previous message: David Cross [MS]: "Re: How to build a certificate request from a certificate to be renewe"
- In reply to: Pavel Lebedinsky [MSFT]: "Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service"
- Next in thread: Pavel Lebedinsky [MSFT]: "Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service"
- Reply: Pavel Lebedinsky [MSFT]: "Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Jul 2005 11:06:13 -0700
Pavel Lebedinsky [MSFT] wrote:
> "Paul Carter" wrote:
>
> > My code works fine if the client app is also running as the same user,
> > but fails if it is another user. Does the administrator account not
> > have the rights to make the OpenProcess() call on any process? If not,
> > it appears that I need to modify the DACL to give the account this
> > right. Or is there a better way?
>
> Processes running as regular users typically give access to the user
> account and System only. If you want to open them as administrator
> you have to enable SeDebugPrivilege before calling OpenProcess.
> But even this is probably not necessary in your case - see below.
>
> > In the older posts I found searching, the posters seem to be attempting
> > to execute DuplicateHandler() in the client process. Isn't it better to
> > run this in the service code (security wise) or am I missing something?
>
> The usual pattern for this is the client makes a request to the service,
> the service impersonates the client, calls OpenProcess (it doesn't need
> SeDebugPrivilege for this because it's impersonating the client), then
> duplicates the handle into the client process.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
Thanks for your reply!
However, if I am reading the docs correctly ImpersonateLoggedOnUser()
(and others) require the SeImpersonatePrivilege which is only supported
on the server versions of Windows. Is this correct?
To give more background:
The basic problem is that the app reads data from a SCSI hard disk in a
proprietary format. The data is not even organized as flat files.
Currently, the app does this by opening up the disk using CreateFile
and " \\.\PHYSICALDRIVEx" This works great but requires administrative
access. The user wants the app to work without admin access. We have
been unable to find a simple privilege to give a user to open the disk
in raw mode other that to make the user an admin. So, we are
investigating having a service run as administrator to open the disk
and duplicate the handle to give to the client app running with normal
user rights.
The current app is running on Windows 2000/XP workstation. The user
does not want to move to a server version of Windows. If we can't use
ImpersonateXXX() API, can anyone point us to another solution? Would
giving the service process the PROCESS_DUP_HANDLE right on the client
process work?
Is there a good online reference/tutorial for the Windows security API?
At the moment, we are a little overwhelmed by it.
Thanks!
-- Paul Carter
- Previous message: David Cross [MS]: "Re: How to build a certificate request from a certificate to be renewe"
- In reply to: Pavel Lebedinsky [MSFT]: "Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service"
- Next in thread: Pavel Lebedinsky [MSFT]: "Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service"
- Reply: Pavel Lebedinsky [MSFT]: "Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
