Re: Service under LocalSystem impersonating NETWORK SERVICE, has no local disk access
- From: "Slava M. Usov" <stripit.slough@xxxxxxx>
- Date: Thu, 29 Sep 2005 23:19:08 +0200
"Joost" <joostb1979@xxxxxxxxx> wrote in message
news:1127979245.109056.8150@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I've written a service running under Local System account. It has to
> access the network using WNetAddConnection so I can copy files to/from
> the local disk.
>
> This is what I am doing:
>
> 1. Enumerate the running processes and search for SID S-1-5-20 (NETWORK
> SERVICE)
>
> 2. Use the token of this process in ImpersonateLoggedOnUser(hToken)
>
> 3. Now I can access the network using WNetAddConnection, BUT!!!!, the
> account 'NETWORK SERVICE' has no access to local disks, so the copy
> action fails with 'Access denied'.
All this is not required. If you call WNetAddConnection(), your
impersonation token and even your primary token are completely irrelevant:
the remote system will authenticate the credentials you supplied with
WNetAddConnection().
Even if you did not use WNetAddConnection(), that would not be required,
because the Local System account is exactly the same as Network Service for
networking; the difference is that Local System _also_ has local privileges,
which Network Service does not have.
> My question:
> How can I get access to the network AND the local disks?
If you are in a domain environment, run as Local System and make sure that
the machine account has access to the remote machine; or run as Local
Service and use WNetAddConnection() to authenticate yourself. The latter
approach will work in non-domain environments, too.
S
.
- Follow-Ups:
- References:
- Prev by Date: Re: I/O Methods - Misc. Questions
- Next by Date: Re: Image Base Locations
- Previous by thread: Service under LocalSystem impersonating NETWORK SERVICE, has no local disk access
- Next by thread: Re: Service under LocalSystem impersonating NETWORK SERVICE, has no local disk access
- Index(es):
Relevant Pages
|
