如何启动通过IIS7与ASP.NET 3.5中的服务器桌面进行交互的过程?
[英]How to Start a process that interacts with the server's desktop in ASP.NET 3.5 through IIS7?
问题描述
There are lots of answers, try this-that, but nothing works. 
有很多答案,尝试一下,但是没有用。 Access denied. 拒绝访问。 We are starting an application on the server, and automating it to do certain Quick tasks. 我们正在服务器上启动一个应用程序,并使其自动化以执行某些快速任务。 Of course I can start it... (but it cannot run hidden, it must run in a real-desktop mode). 我当然可以启动它...(但是它不能隐藏运行,它必须在真实桌面模式下运行)。
I've tried all manner of different elevation/impersonation techniques. 我尝试了各种不同的高程/模拟技术。 Yes I've selected the IIS-Interact with desktop box. 是的,我选择了“ IIS与桌面交互”框。 In the web.config I've got the impersonation flag... 在web.config中,我有模拟标志...
Here is relevant code with some commented out attempts: 这是一些注释掉了的尝试的相关代码:
private const int WM_CLOSE = 16;
private const int BN_CLICKED = 245;
private const int LB_GETTEXT = 0x0189;
private const int LB_GETTEXTLEN = 0x018A;
private const int WM_SETTEXT = 0X000C;
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
public const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
WindowsImpersonationContext impersonationContext;
/// <summary>
/// Required designer variable.
/// </summary>
private System.ComponentModel.Container components = null;
[DllImport("user32.dll", CharSet = CharSet.Unicode)]
protected static extern int GetWindowTextLength(IntPtr hWnd);
[DllImport("user32.dll")]
protected static extern bool IsWindowVisible(IntPtr hWnd);
[DllImport("user32.dll", CharSet = CharSet.Unicode)]
protected static extern int GetWindowText(IntPtr hWnd, StringBuilder strText, int maxCount);
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
[DllImport("user32.dll", SetLastError = true)]
static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint processId);
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool ShowWindow(IntPtr hWnd, ShowWindowCommands nCmdShow);
[DllImport("user32.dll", SetLastError = true)]
private static extern IntPtr GetProcessWindowStation();
[DllImport("user32.dll", SetLastError = true)]
private static extern IntPtr GetThreadDesktop(int dwThreadId);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern int GetCurrentThreadId();
public void findOurProcess(string filePath)
{
IntPtr hwnd = IntPtr.Zero;
IntPtr hwnd_select = IntPtr.Zero;
IntPtr hwndChild = IntPtr.Zero;
DateTime timer;
TimeSpan diff;
int processid;
string username = "Programmer";
clsImpersonate cls = new clsImpersonate();
try
{
IntPtr token = cls.ImpersonateUser(username, Environment.MachineName, "RoboMan");
using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(token))
{
//Process process = new Process();
//ProcessStartInfo info = new ProcessStartInfo();
//info.FileName = fileName;
//info.Arguments = argument;
//process.StartInfo = info;
//process.Start();
//if (impersonateValidUser("Programmer", "", "Roboman"))
//if (impersonateValidUser(username, "DESKTOP", "Roboman"))
//{
ProcessStartInfo psi = new ProcessStartInfo("OUR PROCESS");
//psi.UserName = username;
//psi.Domain = Environment.MachineName;
//psi.Password = new System.Security.SecureString();
//psi.Password.AppendChar('R');
//psi.Password.AppendChar('o');
//psi.Password.AppendChar('b');
//psi.Password.AppendChar('o');
//psi.Password.AppendChar('m');
//psi.Password.AppendChar('a');
//psi.Password.AppendChar('n');
psi.Arguments = "-batch";
psi.WorkingDirectory = "OUR DIRECTORY";
psi.UseShellExecute = false;
//myProcess.StartInfo.CreateNoWindow = true; //Maybe?
//myProcess.Start();
//The following security adjustments are necessary to give the new
//process sufficient permission to run in the service's window station
//and desktop. This uses classes from the AsproLock library also from
//Asprosys.
//IntPtr hWinSta = GetProcessWindowStation();
//WindowStationSecurity ws = new WindowStationSecurity(hWinSta,
// System.Security.AccessControl.AccessControlSections.Access);
////ws.AddAccessRule(new WindowStationAccessRule(username,
// // WindowStationRights.AllAccess, System.Security.AccessControl.AccessControlType.Allow));
//ws.AddAccessRule(new WindowStationAccessRule(username,
// WindowStationRights.CreateDesktop, System.Security.AccessControl.AccessControlType.Allow));
//ws.AcceptChanges();
//IntPtr hDesk = GetThreadDesktop(GetCurrentThreadId());
//DesktopSecurity ds = new DesktopSecurity(hDesk,
// System.Security.AccessControl.AccessControlSections.Access);
//ds.AddAccessRule(new DesktopAccessRule(username,
// DesktopRights.AllAccess, System.Security.AccessControl.AccessControlType.Allow));
//ds.AcceptChanges();
using (Process process = Process.Start(psi))
{
processid = process.Id;
}
the cls.ImpersonateUser The above attempts to run an elevated section of code as another user. cls.ImpersonateUser上面的尝试以另一个用户身份运行提升的代码段。 But fails. 但是失败了。 You can see I've attempted to use this version as well. 您可以看到我也尝试使用此版本。 ImpersonateValidUser Example The AsProSys code would also throw an Access-denied exception right on the ws.AcceptChanges(); ImpersonateValidUser示例 AsProSys代码还将在ws.AcceptChanges();上抛出一个拒绝访问的异常。
1 个解决方案
解决方案1
3 已采纳 2018-10-26 04:26:24
WebServers run as Windows Services. WebServer作为Windows服务运行。 And Windows services are by default prohibited from accessing the Desktop as of Windows Vista . 默认情况下, Windows Vista禁止Windows服务访问桌面。
In addition to the general Service Limitations, webservers are also customary run in the most limited userrights possible. 除了一般的服务限制外,Web服务器还通常以尽可能有限的用户权限运行。 Readaccess to it's programm and content directory is about the best they get. 对它的程序和内容目录的读访问权是他们获得的最好成果。 They are always on, so they are highly vulnerable to hacking. 它们始终处于打开状态,因此很容易受到黑客攻击。
As I understand currently you try to start a Dekstop applciation from a Webserver. 据我了解,您目前正在尝试从Web服务器启动Dekstop应用。 And that is pretty much a no-go. 那几乎是不行的。 If that did work, I would first wonder how quickly I can uninstall it. 如果确实有效,我首先想知道我可以多快卸载它。 And then how I did not manage to limits right in the first place to prevent this. 然后,我一开始没有设法限制权利以防止这种情况。 For every admin that will ever have to run your Webpage: Stop trying to do that! 对于将不得不运行您的网页的每个管理员:停止尝试这样做!
Instead just have a Helper application that is normally installed on the Windows. 而是仅具有通常在Windows上安装的Helper应用程序。 Have it start automatically via the TaskSheduler on user login. 在用户登录时通过TaskSheduler自动启动它。 and have it and the WebServer communicate via Pipes, the Loopback device or similar IPC ways that are acceptable for a WebServer. 使其与WebServer通过管道,Loopback设备或WebServer可接受的类似IPC方式进行通信。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.