CreateProcessWithLogonW doesn"t work with XP service pack 2

I'm trying to run an application under another user within a winform
app writen in C#. I have tried a number of different things, but it
seems that the CreateProcessWithLogonW function should work to do what
I need to do. This appears to work just fine in Windows 2000 and XP
with service pack 1, but it doesn't work with XP service pack 2
installed.

I'm sure it's one of the "Enhanced security features" of service pack
2, but I can't seem to get this to work. The function returns a 1
indicating that it worked fine, but the applcation that I'm trying
launch does not launch.

To give a little background on what I'm doing:

I have written a small app that is basically just an interface for the
netsh command to change network setting for the user. The users do not
have admin rights on their machines, but a select few need to be able
to change their IP addresses for buisness reasons. Because of this, I
basically just call the CreateProcessWithLogonW function to start run
the netsh command under an admin account on the machine to change the
IP address to whatever the user specifies in the interface that I
provided.

As a test, I have created two very simple windows apps. The first one
calls the CreateProcessWithLogonW function to login as another account
on the machine. It then calls another simple application that uses the
WindowsIdentity to show the current user. This works fine on Win2K and
XP sp1, but not with service pack 2.

If anyone know how to get around this, that would be great.

Thanks,
Jerry

Re: CreateProcessWithLogonW doesn"t work with XP service pack 2

Sorry if this doesn't directly address your question, but it may be an
alternative to help solve your problem.

Have you considered making a windows service that runs under a
priveleged account? You could then make the client WinForms application
(running as the logged in user), communicate with the service via .NET
Remoting, and request the service to make changes on the user's behalf.
That way, your application does not have to store administrator
credentials (as I assume you are doing with your CreateProcessWithLogonW
approach) on the user's machine.


jerry wrote:
> I'm trying to run an application under another user within a winform
> app writen in C#. I have tried a number of different things, but it
> seems that the CreateProcessWithLogonW function should work to do what
> I need to do. This appears to work just fine in Windows 2000 and XP
> with service pack 1, but it doesn't work with XP service pack 2
> installed.
>
> I'm sure it's one of the "Enhanced security features" of service pack
> 2, but I can't seem to get this to work. The function returns a 1
> indicating that it worked fine, but the applcation that I'm trying
> launch does not launch.
>
> To give a little background on what I'm doing:
>
> I have written a small app that is basically just an interface for the
> netsh command to change network setting for the user. The users do not
> have admin rights on their machines, but a select few need to be able
> to change their IP addresses for buisness reasons. Because of this, I
> basically just call the CreateProcessWithLogonW function to start run
> the netsh command under an admin account on the machine to change the
> IP address to whatever the user specifies in the interface that I
> provided.
>
> As a test, I have created two very simple windows apps. The first one
> calls the CreateProcessWithLogonW function to login as another account
> on the machine. It then calls another simple application that uses the
> WindowsIdentity to show the current user. This works fine on Win2K and
> XP sp1, but not with service pack 2.
>
> If anyone know how to get around this, that would be great.
>
> Thanks,
> Jerry
>

Re: CreateProcessWithLogonW doesn"t work with XP service pack 2

Thanks, that is an interesting idea that I haven't thought of even
though I have done a number of applications with windows services. I
would still like to get this other method working though. The
application has been working fine for 3 years, but now that the current
IT build includes service pack 2, it's not working. I will keep the
windows service in mind though as another alternative. Good idea.

If anyone else has ideas on how to get the CreateProcessWithLogonW,
that would great.

Re: CreateProcessWithLogonW

What you are experiencing is a security feature in Windows 2000+. If one
application uses SetWindowsHookEx() to hook another application run by a
different user, the hook fails, even if the target process is visible and on
the same desktop. I just tried this with Notepad, it works fine when I start
it as the same user, and doesn't work when I use Run As to start it as a
different user(tried Administrator and Power User). I am logged in using an
account that is a member of the Administrators group. SetWindowsHookEx()
returns 0 in these cases and GetLastError() returns 5, Access is denied,
ERROR_ACCESS_DENIED. The hook procedure is in a C++ DLL.

Also, in Vista and later, SendMessage can only send messages to processes
with the same privilege or lower, otherwise it fails with error access
denied. See here:

SendMessage Function
http://msdn2.microsoft.com/en-us/library/ms644950.aspx

Finally, while on the same subject GUI and security, staring with Vista;
services run in their own terminal services session for security reasons, so
services that create a hidden window to let other applications talk to it
using SendMessage(To configure the service, for example) will be blocked
from receiving such messages in Vista and after. You have to use another
method like named pipes. See here:

AC: Session 0 Isolation
http://msdn2.microsoft.com/en-us/library/bb756986.aspx