create interactive elevated process from windows service and show to logged-on user

13
votes

I have a service that spawns a WPF application process when a user logs on.

But for some reason the WPF application gets killed about 10 minutes after it has been created? The termination is immediate with no traces found in the Event Log nor are any normal close/exit events called in the WPF application.

In fact, when the termination occurs, Windows 7 seems to hang for a second, the mouse becoming unresponsive and then acting out the mouse gestures after a short delay (when it normalizes, but now lacking the created process).

The When

public partial class Service1 : ServiceBase
{
    public Service1()
    {
        InitializeComponent();
        CanHandleSessionChangeEvent = true;
    }

    protected override void OnSessionChange(SessionChangeDescription changeDescription)
    {
        if (changeDescription.Reason == SessionChangeReason.SessionLogon
            && changeDescription.SessionId > 0)
        {
            ApplicationLoader.PROCESS_INFORMATION procInfo;
            ApplicationLoader.StartProcessAndBypassUAC(@"myapp.exe", out procInfo);                    
        }
        base.OnSessionChange(changeDescription);
    }
}

Process Creation As Per Pero Matic Code

// ...
bool result = CreateProcessAsUser(hUserTokenDup,  // client's access token
                            null,             // file to execute
                            applicationName,  // command line
                            ref sa,           // pointer to process SECURITY_ATTRIBUTES
                            ref sa,           // pointer to thread SECURITY_ATTRIBUTES
                            false,            // handles are not inheritable
                            dwCreationFlags,  // creation flags
                            IntPtr.Zero,      // pointer to new environment block 
                            null,             // name of current directory 
                            ref si,           // pointer to STARTUPINFO structure
                            out procInfo      // receives information about new process
                            );
  • the termination does not seem to happen if i target notepad.exe, however?
  • tested it with a vanilla\empty WPF application (.NET 4), and that crashed as well

Process Creation with Administrative Privileges and No Prompt

  • It seems that the issue is trying to duplicate the administrative SYSTEM token from winlogon.exe (but which is running in session 1+), because if you duplicate the specific user token instead (e.g. from explorer.exe) then the crashes are no more!
  • this is confirmed with the same vanilla/empty WPF application, and with running Marcel Roma code here - note that he uses explorer.exe instead of winlogon.exe

  • although using explorer.exe gets rid of the termination I lose the administrative privileges with that, which does not work for me

  • any ideas how to get it to work with the winlogon process token?

  • or is it possible to adjust the exlorer.exe token to make the duplicate elevated? im guessing somehow using TokenElevation and SetTokenInformation or AdjustTokenPrivileges
  • or could it be that Windows 7 has been patched to disallow such process impersonation?
  • alternatively, is there any way to get the specific user token with administrative privileges (rather than the owner being SYSTEM), but again, without password knowledge/prompts (excluding CreateProcessWithLogonW)
  • is this maybe to do with garbage collection somehow?
2
c#.netprocesswindows-servicesimpersonation
I believe this to be the definitive discussion of the topic: blogs.msdn.com/b/winsdk/archive/2009/07/14/…David Heffernan
thumbs up for a great link with great expertise! it does not answer the question im asking, however. i.e. i have already got the service to work in regard to spawning a non-elevated process, but how would you do that to run process elevated (as administrator)? or maybe i did not understand fully - is the temporary process approach relevant here? and does winlogon.exe token not provide the correct session id and desktop already? or is the winlogon desktop incorrect and that is why dwm kills my process? as the comments in the linked page mention, the elevation question is unanswered?Cel
Why do you have to spawn an elevated process in another user's space? Am surprised you even got this far. A hacker would only have to replace the binary of the executable in order to wreak havoc.user1228
with some low-level hacks this is doable BUT I would strongly recommend AGAINST doing what you describe. What exactly is your goal ? Why do you want to do this ? IF you explain these things perhaps there are other/alternative options...Yahia
im creating a specific kind of parental control application that has a omnipresent WPF graphical interface; and the user should not be able to kill this process, so im making the process critical, which requires elevation basically i need a per-user GUI that starts at log-on and that the user cannot terminate ...Cel

2 Answers

5
votes

Well I'm just suggesting you a work around: Why you don't put your core functionalities in a windows service, and then use the wpf app as a frontend ? So that if the user kill it, it doesn't stop the service. Then the service can regularly check that the wpf front end is started, and if needed restart it.

I think it'll be a more "trusted" design that the one you're trying to do, which could let the antivirus think you're a bad software and block you.

And to protect the windows service there is another question here: Protecting a Windows Service from untrusted users

2
votes

I don't think you can (and definitly should not be able) to do this. Your best bet is to create an application that doesn't need elevated privileges and then use IPC to talk back to your service which then performs administrative tasks on the users behalf.