Re: How can I tell if I'm running as a service
From: Aaron Margosis [MS] (aaron.margosis.ms_at_online.microsoft.com)
Date: 08/13/04
- Next message: Aaron Margosis [MS]: "Re: Emulating runas"
- Previous message: Laksa: "TimerProc Priority"
- In reply to: Old Fart: "Re: How can I tell if I'm running as a service"
- Next in thread: Aaron Margosis [MS]: "Re: How can I tell if I'm running as a service"
- Reply: Aaron Margosis [MS]: "Re: How can I tell if I'm running as a service"
- Reply: Old Fart: "Re: How can I tell if I'm running as a service"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 12 Aug 2004 22:49:39 -0400
If the SERVICE SID is in your current token, then your process was started
as a service (presumably by the Service Control Manager). SIDs such as
NETWORK, BATCH, INTERACTIVE and SERVICE indicate the logon type of the
current token, not what logon rights your user account has.
However, the absence of this SID does not mean that you aren't running as a
service - these SIDs do not appear to be in the tokens of a processes
running as System.
The code can be simplified, too, as newer APIs have come along since that
code was written. All you need to do is:
* Call AllocateAndInitializeSid to create the SID with the SERVICE RID in
it;
* Pass the SID to CheckTokenMembership:
CheckTokenMembership(NULL, pSID, &bHasServiceSid);
If CTM returns non-zero and bHasServiceSid is non-zero, you were started as
a service. (If you are running as System, you may still be running as a
service.)
The referenced code's comments about the absence of INTERACTIVE and SERVICE
indicating that you are running as System is not accurate. I would instead
check for logon ID = 999.
-- Aaron
"Old Fart" <oldfart@newsgroups.nospam> wrote in message
news:OEcgDj7fEHA.3700@TK2MSFTNGP12.phx.gbl...
> I'm not entirely comfortable with this approach. In particular, my
> reading
> of the meaning of SECURITY_SERVICE_RID is that the account is authorized
> to
> run services, not necessarily that the process is running as a service.
> Also, the code is so ugly that I'd feel compelled to completely rewrite
> it.
>
> One approach that occurred to me would be to check to see if the parent
> process was services.exe. My main discomfort here is relying on the
> particular name "services.exe". Any suggestions on a better way to
> determine if a particular process is the service manager?
>
> Then, I also noticed that I could trace the lineage of service processes
> all
> the way back to process 0. On the other hand, I could not do that for my
> user mode processes. So, another possibility would be to try to trace
> back
> to process 0. If I could not get to process 0, then I'm not a service.
> If
> I can, then I might be a service and I'll call StartServiceCtrlDispatcher
> and see whether or not it fails.
>
> Any comments on the relative merits of these three approaches (including
> the
> process token approach)? Any better ideas?
>
> "William DePalo [MVP VC++]" <willd.no.spam@mvps.org> wrote in message
> news:e%23tVRh0fEHA.3988@tk2msftngp13.phx.gbl...
>> "Old Fart" <oldfart@newsgroups.nospam> wrote in message
>> news:ulg1rOzfEHA.396@TK2MSFTNGP12.phx.gbl...
>> > Can someone suggest a fast way to tell whether or not my application is
>> > being started as a service? (Please do not suggest using command line
>> > parameters.)
>>
>> You may want to take a look at the heuristic demonstrated here:
>>
>> http://win32.mvps.org/security/is_svc.html
>>
>> Regards,
>> Will
>>
>>
>
>
- Next message: Aaron Margosis [MS]: "Re: Emulating runas"
- Previous message: Laksa: "TimerProc Priority"
- In reply to: Old Fart: "Re: How can I tell if I'm running as a service"
- Next in thread: Aaron Margosis [MS]: "Re: How can I tell if I'm running as a service"
- Reply: Aaron Margosis [MS]: "Re: How can I tell if I'm running as a service"
- Reply: Old Fart: "Re: How can I tell if I'm running as a service"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
