补充说明:根据文档,如果您不希望新进程与用户进行交互,则可以直接使用CreateProcessAsUser而无需经过这些步骤。我尚未测试过这一点,但是假设它是正确的,那么对于许多场景来说,这将是一个更简单的解决方案。
事实证明,Microsoft已经提供了样例代码以操作窗口站和桌面访问权限,标题为在C++中启动交互式客户端进程。从Windows Vista开始,在默认窗口站中启动子进程已不足以允许子进程与用户进行交互,但它确实允许子进程使用替代用户凭据运行。
我应该指出,微软的代码使用
LogonUser
和
CreateProcessAsUser
而不是
CreateProcessWithLogonW
。这意味着服务将需要
SE_INCREASE_QUOTA_NAME
特权,可能还需要
SE_ASSIGNPRIMARYTOKEN_NAME
。更好的选择可能是替换
CreateProcessWithTokenW
,它只需要
SE_IMPERSONATE_NAME
。我不建议在此上下文中使用
CreateProcessWithLogonW
,因为它不允许您在启动子进程之前访问登录SID。
我编写了一个最小的服务来演示使用微软的示例代码:
#define _WIN32_WINNT 0x0501
#include <windows.h>
BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid);
BOOL AddAceToDesktop(HDESK hdesk, PSID psid);
BOOL GetLogonSID (HANDLE hToken, PSID *ppsid);
VOID FreeLogonSID (PSID *ppsid);
BOOL StartInteractiveClientProcess (
LPTSTR lpszUsername,
LPTSTR lpszDomain,
LPTSTR lpszPassword,
LPTSTR lpCommandLine
);
const wchar_t displayname[] = L"Demo service for CreateProcessWithLogonW";
const wchar_t servicename[] = L"demosvc-createprocesswithlogonw";
DWORD dwWin32ExitCode = 0, dwServiceSpecificExitCode = 0;
#define EXCEPTION_USER 0xE0000000
#define FACILITY_USER_DEMOSVC 0x0001
#define EXCEPTION_USER_LINENUMBER (EXCEPTION_USER | (FACILITY_USER_DEMOSVC << 16))
HANDLE eventloghandle;
wchar_t subprocess_username[] = L"harry-test1";
wchar_t subprocess_domain[] = L"scms";
wchar_t subprocess_password[] = L"xyzzy916";
wchar_t subprocess_command[] = L"cmd.exe /c dir";
void demo(void)
{
if (!StartInteractiveClientProcess(subprocess_username, subprocess_domain, subprocess_password, subprocess_command))
{
const wchar_t * strings[] = {L"Creating subprocess failed."};
DWORD err = GetLastError();
ReportEventW(eventloghandle,
EVENTLOG_ERROR_TYPE,
0,
2,
NULL,
_countof(strings),
sizeof(err),
strings,
&err);
return;
}
{
const wchar_t * strings[] = {L"Creating subprocess succeeded!"};
ReportEventW(eventloghandle,
EVENTLOG_INFORMATION_TYPE,
0,
1,
NULL,
_countof(strings),
0,
strings,
NULL);
}
return;
}
CRITICAL_SECTION service_section;
SERVICE_STATUS service_status;
SERVICE_STATUS_HANDLE service_handle = 0;
static DWORD WINAPI ServiceHandlerEx(DWORD control, DWORD eventtype, LPVOID lpEventData, LPVOID lpContext)
{
if (control == SERVICE_CONTROL_INTERROGATE)
{
EnterCriticalSection(&service_section);
if (service_status.dwCurrentState != SERVICE_STOPPED)
{
SetServiceStatus(service_handle, &service_status);
}
LeaveCriticalSection(&service_section);
return NO_ERROR;
}
return ERROR_CALL_NOT_IMPLEMENTED;
}
static VOID WINAPI ServiceMain(DWORD argc, LPTSTR * argv)
{
SERVICE_STATUS status;
EnterCriticalSection(&service_section);
service_handle = RegisterServiceCtrlHandlerEx(argv[0], ServiceHandlerEx, NULL);
if (!service_handle) RaiseException(EXCEPTION_USER_LINENUMBER | __LINE__, EXCEPTION_NONCONTINUABLE, 0, NULL);
service_status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
service_status.dwCurrentState = SERVICE_RUNNING;
service_status.dwControlsAccepted = 0;
service_status.dwWin32ExitCode = STILL_ACTIVE;
service_status.dwServiceSpecificExitCode = 0;
service_status.dwCheckPoint = 0;
service_status.dwWaitHint = 500;
SetServiceStatus(service_handle, &service_status);
LeaveCriticalSection(&service_section);
{
const wchar_t * strings[] = {L"Service started!"};
ReportEventW(eventloghandle,
EVENTLOG_INFORMATION_TYPE,
0,
2,
NULL,
_countof(strings),
0,
strings,
NULL);
}
demo();
EnterCriticalSection(&service_section);
status.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
status.dwCurrentState = service_status.dwCurrentState = SERVICE_STOPPED;
status.dwControlsAccepted = 0;
status.dwCheckPoint = 0;
status.dwWaitHint = 500;
status.dwWin32ExitCode = dwWin32ExitCode;
status.dwServiceSpecificExitCode = dwServiceSpecificExitCode;
LeaveCriticalSection(&service_section);
SetServiceStatus(service_handle, &status);
return;
}
int wmain(int argc, wchar_t * argv[])
{
const static SERVICE_TABLE_ENTRY servicetable[2] = {
{(wchar_t *)servicename, ServiceMain},
{NULL, NULL}
};
InitializeCriticalSection(&service_section);
eventloghandle = RegisterEventSource(NULL, displayname);
if (!eventloghandle) return GetLastError();
{
const wchar_t * strings[] = {L"Executable started!"};
ReportEventW(eventloghandle,
EVENTLOG_INFORMATION_TYPE,
0,
2,
NULL,
_countof(strings),
0,
strings,
NULL);
}
if (StartServiceCtrlDispatcher(servicetable)) return 0;
return GetLastError();
}
这必须与微软的示例代码相关联。然后,您可以使用
sc
命令安装服务:
sc create demosvc-createprocesswithlogonw binPath= c:\path\demosvc.exe DisplayName= "Demo service for CreateProcessWithLogonW"
user32.dll
则很可能是),则应指定一个交互式桌面在lpStartupInfo->szDesktop
中运行,以便用户可以看到它。 - Remy LebeaulpStartupInfo->lpDesktop
设置为NULL
而不是默认值WinSta0\Default
,它才能正常工作。 如果您未将lpDesktop
设置为NULL,则子进程将无法启动,并显示错误代码0xC0000142。 - Harry Johnston