Calling OpenWindowStation from a service running under a "user" account

0
votes

My service start an interactive client process with something really similar to this: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379608(v=vs.85).aspx

It works when the service Log On as Local System, and it work if it's running under an Administrator account with the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges.

My issue is when using a Standard User account OR Local Service, it fails at OpenWindowStation with error code 5 (ACCESS DENIED).

// Get a handle to the interactive window station.
hwinsta = OpenWindowStation(_T("winsta0"),               // the interactive window station 
                            FALSE,                       // handle is not inheritable
                            READ_CONTROL | WRITE_DAC);   // rights to read/write the DACL

Is it possible to call OpenWindowStation from a Standard User account or my service must run under an Administrator account? I tried almost all Local Policies without success

Thanks!

1
c++windowsserviceimpersonationprivileges
You will need administrator permissions to open someone else's window station with WRITE_DAC access.Harry Johnston
I tried without WRITE_DAC access, same errorJPelletier
Well, yes - you will need administrator privileges to gain any access to someone else's window station. I figured that was academic, since you need to change the permissions. And I'm fairly sure you need admin permissions to launch the new process anyway. (If you're running as the same user who is logged on interactively, there might be a way around that, but I'm not sure.)Harry Johnston
Yeah it seems that my service must run in an Administrator account, hoped to find a way to give the specific privilege to my user account.JPelletier
Not really possible I'm afraid. If security is a concern, you might want to consider a separation of privileges approach, i.e., one service running as local system whose only job is to launch the interactive client processes, one service running with limited permissions that does everything else.Harry Johnston

1 Answers

1
votes

Unfortunately it can't be done, it seems that only an Administrator can open the interactive station.