Start Process in Session 1 from a Windows 7 Service

Question

1.00/5 (1 vote)

See more:

I have a service running in Windows 7. In Windows 7 all services run in Session 0. From that service I want to create an interactive user session (in a session other than Session 0) and start an application in that session. My problem is that when I call LogonUser to start an interactive user session and then use CreateProcessAsUser to start the application the application ends up running in Session 0.

All of my code is C#.

Here is the relevant code:

C#

[DllImport("advapi32.dll", SetLastError=true)]
static extern bool LogonUser(
    string principal,
    string authority,
    string password,
    UInt32 logonType,
    UInt32 logonProvider,
    out    IntPtr token);

[DllImport("advapi32.dll", SetLastError=true)]
static extern bool CreateProcessAsUser(
    IntPtr hToken,
    string lpApplicationName,
    string lpCommandLine,
    IntPtr lpProcessAttributes,
    IntPtr lpThreadAttributes,
    bool bInheritHandles,
    int dwCreationFlags,
    IntPtr lpEnvironment,
    string lpCurrentDirectory,
    ref STARTUPINFO lpStartupInfo,
    ref PROCESS_INFORMATION lpProcessInformation);

IntPtr token;
LogonUser("UserName", ".", "Password", 
    LogonTypes.Interactive,LogonProviders.Default, out token)

<code to impersonate user>
string hd = Environment.ExpandEnvironmentVariables("%USERPROFILE%");

IntPtr envBlock = IntPtr.Zero;
CreateProcessAsUser(token, "PathToMenu.exe",
    NORMAL_PRIORITY_CLASS |CREATE_UNICODE_ENVIRONMENT,
    "WinSta0\\Default", hd, envBlock, "Menu");

Can anyone tell me what I'm doing wrong?

Posted 19-Oct-11 5:28am

kenstern

Updated 14-Feb-17 22:09pm

Orcun Iyigun

v2

Add a Solution

Comments

Orcun Iyigun 19-Oct-11 11:30am

Updated the tags.

3 solutions

Solution 3

Dave is completely wrong! As triend said use CreateProcessAsUser

Subverting Vista UAC in Both 32 and 64 bit Architectures[^]

Posted 10-May-17 14:12pm

Robson Carvalho Joaquim

Updated 10-May-17 19:30pm

v3

Comments

CHill60 11-May-17 4:50am

That article is dated 2009 and is for Vista. Windows has moved on a bit since then and many of the security holes have been filled in. If you read the entire thread you will find...Quote:Now you know why Microsoft has been saying DON'T do this. The functionality has been walled off in 7. You can't create an interactive process on the user Desktop from Session 0 for security reasons

Robson Carvalho Joaquim 11-May-17 12:08pm

Your statement isn't true. I use the CreateProcessAsUser in window 10 and work flawlessly

Try yourself and come back here to change your comment.

http://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/Session0Changes.docx

Solution 2

Dave's answer is wrong, just because the question is about starting a process in a user session (session 1 and above) from a service, not presenting a GUI in session 0.

The way to do this is by impersonating the user of a session and then create the process.
Look at:
WTSQueryUserToken to get the user's primary token
ImpersonateLoggedOnUser
CreateProcessAsUser to start a process on the WinSta0\Default desktop

Posted 14-Feb-17 22:09pm

triendl.kj

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Accepted Answer · 2011-10-19T06:22:00

Solution 1

What are you doing wrong? You're trying to create an interactive process from a service. Not a good idea since what if there is noone logged in at the time? What if there are multiple logged into the machine at the same time?

You could go into the service properties, LogOn tab, and enable "Allow service to interact with desktop", but that isn't going to do what you expect it to on Windows 7 and up.

What you want to do is very strongly discouraged by Microsoft, mostly for security reasons.

Posted 19-Oct-11 6:22am

Dave Kreskowiak

Comments

kenstern 19-Oct-11 13:27pm

Dave, yeah - I know. Unfortunately I have some rather unique requirements. I'm actually porting this from Win XP (where it works just fine) to Win 7. Also, Microsoft, and my take from lots of searching, is that this is the 'recommended' way to do what I want. Note that there will be a user logged in (we do that just before the call to CreateProcessAsUser) and we use the token returned from that logon to identify the user/session. So ... understanding that this is a slightly underhanded way of doing things ... why doesn't it work?

Dave Kreskowiak 19-Oct-11 14:16pm

Now you know why Microsoft has been saying DON'T do this. The functionality has been walled off in 7. You can't create an interactive process on the user Desktop from Session 0 for security reasons. Any thing that your service does that requires user interaction will be restricted to showing up on an alternate desktop. The user will, at most, get a notification that a service wants your attention and give you the option of switching the the service desktop to see what's going on. It's called "Session 0 Isolation".

It used to be, prior to 7 (maybe Vista), that services ran in the same Session as the first user to login to the console, Session 0. Since services normally run with elevated privs, it was possible for a malware service to show a UI to the user in the same session. Hence, the rise of Session 0 Isolation.

S0I was designed to protect users from potentially bad service and driver processes as well as the other way around, protecting legit services from potentially hazardous user applications.

Your code previously only worked because services and user apps could run in the same Session, under different Stations. That doesn't happen anymore under 7. Even services tagged as "Allow Interactive" are stuck running under Session 0, completely isolated from Session 1 and above.

You can create new processes, specifying the Window Station and Desktop to run the process under, but you can NOT specify the Session to run under. Even if the Station and Desktop id's are identical, each Session maintains its own table of Stations and Desktops.

Hmmm... Are you passing the users security token to CreateProcess??

Dave Kreskowiak 19-Oct-11 14:31pm

You can't change which Session a process is created under, but you CAN change the SessionID for a security token. (BIG) IF the service has the "Act As Part Of the Operating System" privilege, it may be able to change a copy of the security token to match the logged on users session ID. Then you can pass the modified token to CreateProcessAsUser.

... in theory anyway. I have no idea if it's going to work or what else has to be done to get to the user to see the process.

fjdiewornncalwe 19-Oct-11 14:04pm

Absolutely. In order for a "user" application to be executed from a service, the "Allow to interact..." option must be selected. Thankfully I have had other options rather than implementing this on Win7/2008.

Dave Kreskowiak 19-Oct-11 14:20pm

Yeah, the only problem with doing that is it's interactive all right, just not on the users Window Station. Under 7, the service will run under WinSta0, but a different WinSta0 than the user sees. The service WinSta0 is still stuck in Session 0, which the user won't see.

kenstern 20-Oct-11 8:43am

OK - I get it. It seems I'm just going to have to find another way to do this and that will require some change to the requirements. Basically, with the switch to Windows 7 "you can't get there from here" anymore. Thanks!!

Felice Pollano 25-Feb-13 14:03pm

The "Allow service Interact with Desktop" suggestion is **wrong** since in Win7 /2k8 server and newer this check does not change the session the process is running on.

Dave Kreskowiak 25-Feb-13 15:39pm

Ummm...why are you replying to a message that's a year and a half old and one that's been thoroughly discussed and of which you're really not adding any new information??

Felice Pollano 26-Feb-13 5:35am

I seen this question marked as an answer because I have the same problem. Since the reply is signed as an answer, but is not, I think is better to know for anyone else reading the thread.

ahamednafeel 25-Nov-14 2:31am

Kindly Specify is there any other ways to overcome winsta0 from windows xp to windows 7??

Dave Kreskowiak 25-Nov-14 7:40am

You haven't read this entire thread, have you?

For the last time, NO, THERE IS NO WAY TO PUT UP A USER INTERFACE OR LAUNCH A PROCESS ON THE USERS DESKTOP FROM A WINDOWS SERVICE! THAT ABILITY WAS REMOVED FROM WINDOWS AS IT WAS DETERMINED TO BE A SECURITY RISK.

ahamednafeel 25-Nov-14 23:08pm

Thanks dave...

I have a application which works on windows xp.. but not on window 7 for the cause of session 0.. I understood what happened.. But i need the solution for that.. I have to call that application..

Dave Kreskowiak 25-Nov-14 23:21pm

You have no choice but to scrap what you have and rewrite so that your service doesn't attempt to do anything with the users station. It's simply NEVER going to work.

You'll have to have a separate application that runs on the users desktop and accepts commands from the service over some IPC channel, like a named pipe. This second application can do whatever you want, like launching other applications because it is running as the user and in the users Desktop.

ftosteve 6-May-16 9:00am

@Dave. One flaw in the 'correct way'. You have to have the client app running to interact with the desktop. If someone closes the client then your service can no longer tell the user something. And as the service cannot restart the client(s0i) you are stuck.
Everyone seems to assume the control wanted is client to service where as I want service to client.
I would like to have the service open a from on the clients desktop irrespective of if they are running a tray/client/app etc.
Then ask for thier response upon some questions to continue processing.

I also have the issue where I want a generic service to run in multiple environments.
1. With shell(explorer.exe) showing desktop. Tray icon exist and autoruns/startups run but userr can close the client app stopping the ipc commands from service.
2. With bespoke shell, no desktop/tray/autoruns/startups so no way a client app can be running to ipc to the service.

By the way. The statement about it not being possible to start a client visible app in session 1 from service in session 0 is kind of a lie.
Microsoft themselves do it. You you see in action at least once a month...
Service SVCHOST.EXE on session 0 starts client visible app/tray WUAUCLT.EXE in session 1(your logon).

Dave Kreskowiak 6-May-16 10:01am

Actually, it's not a lie.

Yes, SVCHOST does this, only because it's a Windows internal app that doesn't have any documentation at all. Your service cannot use it.

Your service still can NOT open a UI on a user desktop. Period. End of story. Trying to force it to do so only makes your code possibly incompatible with future Windows, i.e. WinXP to Vista and above.

Good luck trying to get it to work.

ahamednafeel 26-Nov-14 21:13pm

@Dave Thanks... If i made like this how can i use it for Windows XP ??

Dave Kreskowiak 27-Nov-14 0:00am

When it works on Windows 7, it'll work on Windows XP. You're just now being forced to do it the correct way instead of a "hack" only supported on XP and lower.

ahamednafeel 26-Nov-14 22:07pm

Dave one more thing I need to know.. why I need IPC named pipe For this issue?? can you guide me please!!