[英]Remote controlling of windows service installed on intranet machine
我在本地IIS 7上部署了Web應用程序,並將應用程序池配置為在內置NETWORK SERVICE帳戶下工作。 從此Web應用程序中,我需要檢查Windows服務的狀態(如果已啟動,已停止等)。 我用這樣的語句來得到它:
public string GetServiceStatus(string machine, string service)
{
var service = new ServiceController(machine, service);
service.Refresh();
return service.Status;
}
該machine
是我的Intranet(運行Windows服務的主機)中的主機的IP地址(也是在內置的NETWORK SERVICE帳戶下)。
不幸的是,代碼給出了一個例外:
service.Status threw an exception of type 'System.InvalidOperationException'
Cannot open MyService service on computer '192.168.0.7'. Access is denied.
問題出在哪兒 ?
問題是網絡服務沒有足夠的權限來控制Windows服務。 我需要切換到另一個用戶上下文才能對其進行控制。 但是我不想在整個應用程序中都這樣做。 相反,我在特定身份下搜索任意一段代碼執行。
我檢查了很多用於模仿的資源,包括Malcolm Frexner顯示的資源。 因為我正在使用Windows 7(64位)以及Windows Server 2008 R2(64位),所以發現對我不起作用。 我最終得到了這樣的通用解決方案:
using System;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Security.Principal;
namespace Thing.Namespace
{
public enum LogOnType
{
LogOn32LogOnInteractive = 2,
LogOn32LogOnNetwork = 3,
LogOn32LogOnBatch = 4,
LogOn32LogOnService = 5,
LogOn32LogOnUnlock = 7,
LogOn32LogOnNetworkCleartext = 8,
LogOn32LogOnNewCredentials = 9
}
public enum LogOnProvider
{
LogOn32ProviderDefault = 0,
LogOn32ProviderWinnt35 = 1,
LogOn32ProviderWinnt40 = 2,
LogOn32ProviderWinnt50 = 3
}
public enum ImpersonationLevel
{
SecurityAnonymous = 0,
SecurityIdentification = 1,
SecurityImpersonation = 2,
SecurityDelegation = 3
}
public static class IdentityBoss
{
private static WindowsImpersonationContext _impersonationContext;
private static readonly object _locker = new object();
private static class NativeMethods
{
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern int LogonUser(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CloseHandle(IntPtr handle);
}
public static void Impersonate(Action action, string user, string domain, string password,
LogOnType logOnType, LogOnProvider logOnProvider,
ImpersonationLevel impersonationLevel)
{
try
{
ImpersonateValidUser(user, domain, password, logOnType, logOnProvider, impersonationLevel);
action();
}
finally
{
UndoImpersonation();
}
}
public static void ImpersonateHappily(Action action, string user, string domain, string password)
{
Impersonate(action, user, domain, password, LogOnType.LogOn32LogOnNetworkCleartext,
LogOnProvider.LogOn32ProviderDefault, ImpersonationLevel.SecurityImpersonation);
}
public static TResult Impersonate<TResult>(Func<TResult> action, string user, string domain, string password,
LogOnType logOnType, LogOnProvider logOnProvider,
ImpersonationLevel impersonationLevel)
{
try
{
ImpersonateValidUser(user, domain, password, logOnType, logOnProvider, impersonationLevel);
return action();
}
finally
{
UndoImpersonation();
}
}
public static TResult ImpersonateHappily<TResult>(Func<TResult> action, string user, string domain, string password)
{
return Impersonate(action, user, domain, password, LogOnType.LogOn32LogOnNetworkCleartext,
LogOnProvider.LogOn32ProviderDefault, ImpersonationLevel.SecurityImpersonation);
}
private static void ImpersonateValidUser(String userName, String domain, String password, LogOnType logonType, LogOnProvider logonProvider, ImpersonationLevel impersonationLevel)
{
lock (_locker)
{
var token = IntPtr.Zero;
var tokenDuplicate = IntPtr.Zero;
WindowsIdentity tempWindowsIdentity = null;
try
{
if (!NativeMethods.RevertToSelf())
throw new Win32Exception(Marshal.GetLastWin32Error());
if (NativeMethods.LogonUser(userName, domain, password, (int) logonType, (int) logonProvider,ref token) == 0)
throw new Win32Exception(Marshal.GetLastWin32Error());
if (NativeMethods.DuplicateToken(token, (int) impersonationLevel, ref tokenDuplicate) == 0)
throw new Win32Exception(Marshal.GetLastWin32Error());
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
_impersonationContext = tempWindowsIdentity.Impersonate();
}
finally
{
if (token != IntPtr.Zero)
NativeMethods.CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
NativeMethods.CloseHandle(tokenDuplicate);
if (tempWindowsIdentity != null)
tempWindowsIdentity.Dispose();
}
}
}
private static void UndoImpersonation()
{
lock (_locker)
{
if (_impersonationContext != null)
{
_impersonationContext.Undo();
}
}
}
}
}
另外,我需要在安裝了該服務的計算機上創建新用戶。 用戶必須具有控制Windows服務的權限-為此,可以將其添加到Administrators組。
現在,我可以通過以下方式啟動/停止我的服務並獲取其當前狀態:
private const string user = "MyUser";
private const string domain = ".";
private const string password = "MyPa$$w0rd";
public string StartService(string machine, string service)
{
IdentityBoss.ImpersonateHappily(
() =>
{
Controller.Instance.StartService(machine, service);
}, user, domain, password
);
}
public string GetServiceStatus(string machine, string service)
{
return IdentityBoss.ImpersonateHappily(
() =>
{
return Controller.Instance.GetServiceStatus(machine, service);
}, user, domain, password
);
}
ImpersonateHappily
只是一個函數,其參數與我的操作系統一起使用。 來自網絡的其他類似解決方案使用dwLogonType
參數傳遞給Win 32 API函數LogonUserA
,其值為2或9,而在我的系統值8下是正確的。
順便說一句: Impersonate
是包裝函數,用於設置模擬,然后將其傳遞給lambda,以完成實際工作。 這種寫代碼風格的計算機科學術語是高階編程 。
如果可以使用模擬,請嘗試
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.