如何获取CreateProcessAsUser的有效用户令牌?
[英]How do I get a valid user token for CreateProcessAsUser?
问题描述
I have an application that is running as normal user, and a service running as local system. 
我有一个以普通用户身份运行的应用程序,以及作为本地系统运行的服务。 I want the application to be able to tell the service to start the application again, once the service has done some other stuff. 我希望应用程序能够告诉服务再次启动应用程序,一旦服务完成了其他一些事情。 (So the application will not be running while the service is doing it's "thing".) In order for the service to be able to start the application as the user that first started it, it needs a user token. (因此,当服务正在执行“事物”时,应用程序将不会运行。)为了使服务能够以首次启动它的用户启动应用程序,它需要一个用户令牌。 The application sends the token to the service before it quits, but the token/handle is invalid when the service is trying to use it. 应用程序在退出之前将令牌发送到服务,但是当服务尝试使用它时,令牌/句柄无效。 (First thing it does with it is DuplicateTokenEx to get a primary token.) (它首先使用DuplicateTokenEx来获取主令牌。)
Is a user token always only valid in the process that called OpenProcessToken? 用户令牌是否始终仅在调用OpenProcessToken的进程中有效?
Is there some other way this could be done? 还有其他方法可以做到吗? I don't want the user having to "log on" to the application with logonuser. 我不希望用户必须使用logonuser“登录”应用程序。 That would just be silly. 那只是愚蠢的。 I guess I could hand over a process handle for "explorer.exe" from the app to the service, which the service could use to get a user token, but that would require PROCESS DUP HANDLE access right. 我想我可以将“explorer.exe”的进程句柄从应用程序移交给服务,该服务可以用来获取用户令牌,但这需要PROCESS DUP HANDLE访问权限。 I'm not thrilled about that solution, but maybe it's the way to do it? 我对这个解决方案并不感到兴奋,但也许是这样做的方法呢?
1 个解决方案
解决方案1
3 2009-04-07 13:32:46
You have multiple issues here so I'll try to address them separately and you can correct me if I have misunderstood: 你在这里有多个问题,所以我会尝试单独解决它们,如果我误解你可以纠正我:
You appear to have a service and a user application that cannot execute certain functionality at the same time.
您似乎拥有一个服务和一个无法同时执行某些功能的用户应用程序。 In order to achieve this you have the service stop the application, execute the special functionality, then restart the application. 为了实现这一点,您可以让服务停止应用程序,执行特殊功能,然后重新启动应用程序。 If this is correct then, in my opinion, you have a design flaw. 如果这是正确的,那么在我看来,你有一个设计缺陷。 Rather than stopping, then restarting the application you should be coordinating access to the shared resource through mutual exclusion using a named mutex and/or using an IPC method such as named pipes to communicate intentions. 而不是停止,然后重新启动应用程序,您应该使用命名的互斥锁和/或使用IPC方法(如命名管道)来协调对共享资源的访问,以传达意图。 Is a user token always only valid in the process that called OpenProcessToken?
用户令牌是否始终仅在调用OpenProcessToken的进程中有效? Yes, the token handle you received is an index into the handle table of the process, it is not directly transferable. 是的,您收到的令牌句柄是进程句柄表的索引,它不能直接转移。 You would need to use DuplicateHandle which may be what you want but could be messy. 您需要使用DuplicateHandle,这可能是您想要的,但可能会很混乱。 You wish to find the best way to get the user's token to launch the application into the user's (interactive?) session.
您希望找到获取用户令牌以将应用程序启动到用户(交互式?)会话的最佳方法。 If this is the case, the best way is to retrieve the user's session token and use that. 如果是这种情况,最好的方法是检索用户的会话令牌并使用它。 You can check out this article and the sample code, it's in C# but should be relatively easy to transfer to your language of choice. 您可以查看本文和示例代码,它位于C#中,但应该相对容易转换为您选择的语言。
EDIT: Updated to include Windows 2000. Since you are running the service under the SYSTEM account it can open a handle to the process itself (if necessary the process can send its process ID). 编辑:更新以包括Windows 2000.由于您在SYSTEM帐户下运行服务,它可以打开进程本身的句柄(如果有必要,进程可以发送其进程ID)。 It can then open the token attached to that process, duplicate it and use the resultant token to launch (or re-launch) the target application. 然后,它可以打开附加到该进程的令牌,复制它并使用生成的令牌启动(或重新启动)目标应用程序。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.