Re: Desktop Creation

Ok, I should understand that I have to create another process running in
session 1 and communicate with an IPC with the SYSTEM service. But if my
other process running in session 1 and attached to interactive dektop (dektop
of WinSta0), then this process can be attacked by 'virus' programs as my
service. I don't undestand what this solution is more secure because a
'virus' message can hack my process and send a 'bad' message to my service. I
known very well the internal securty of NT as I known the internal serurity
of VMS (remender that David N. Cutler, one of the core Ingineer of NT kernel
worked before for Digital). I think that vista evolution has not create the
API evolution. More, the real problem in thie security problem is that all
messages in NT do not contains the source, aka the mouse click of a user is
the same message as the PostMessage(...) API from another process. But he
mouse click comes from kernel and the PostMessage() aPI come from API. To
have a real seurity, the message should contains the source of message
(kernel or user process).

Thanks very much but I will find a solution to workround this problem.

"Chuck Chopp" wrote:

I think that you're missing the point.

Microsoft separate the interactive sessions [Session ID > 0] from the native
NT service session [Session ID 0] for purposes of tightening up security.
In the Word document that Microsoft published about this, titled "Impact of
Session 0 Isoloation on Services & Drivers in Windows Vista", they made it
extremely clear what you can and cannot do w/respect to a service opening a
window on the desktop of an interactive windowstation.

http://www.microsoft.com/whdc/system/vista/services.mspx

http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Session0_Vista.doc

What you're trying to do is exactly what Microsoft is making changes to
prevent from happening.

The recommended way of having a service interact with an interactive user
session is to have a client application running in the context of the user,
where the client application communicates with the service via some sort of
IPC mechanism, such as a named pipe, a TCP socket, an RPC call, etc....



BT wrote:
The vista documentation say that all process running in SYSTEM context (and
in session 0) can not attach to any station on another session. Why, because
another program could inject code by message system. If a SYSTEM process must
send a notification, the only API is WTSSendMessage(). If SYSTEM must
intecract with user, it have to do with another process running in least
privileged security context and on the interactive session and communicate,
for instance, with a pipe correctly ACLed.
But what I try to do it very different. My SYSTEM process must simply create
a new process with a different security context and on another desktop that
'Default' on the intercative session 1. For that, my SYSTEM process use the
API CreateProcessAsUser with the token handle of security principal and
should specify the new desktop ('Winsta0\MyDesktop').

To do that, my SYSTEM service should only create the desktop and not attach
to it. I do not seen any security risk to simply create an 'object' and
attach it to another process. The only risk in the process creation is to
take care that specify FALSE for the 'bInheritHandles' parameter of
CreateProcessAsUser API.

What to do that ? Because the process that is created by SYSTYEM process
must run on another desktop that 'Default' for the same reasons that all
SYSTEM process run on different station that 'intercative' process.

Thanks for your quick response. Perhaps that the response is in the new API
of the winsta.dll of Vista but still undocumented.

Best regards.
Bernard Tollet.

"David J. Craig" wrote:


I would suggest you look at the documents released on Vista. What you want
to do is prohibited, unadvisable, and dangerous. The OS finally stops it.

"BT" <BT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:850C84E0-B978-48AE-8B3F-07A9A82937F7@xxxxxxxxxxxxxxxx

Ok, the problem happens only on Vista (tested on XP, XP SP1, XP SP2 and
Windows Server 2003).
My version of Vista is Vista Ultimate English.

I use Visual Studio 2005 Pro in C#.

The problem is the following. I have a service started by SCM
(services.exe)
which have to launch a GUI application with a different security context
and
attached on a new deskop of the interactive window station (WinSta0).
First,
I logon the user with LsaLogonUser() API and after I have to create the
new
desktop. As my service runs without interactive desktop, I open the
WinSta0
(OpenWindowStation), 'impersonate' my service using
SetWindowStationProcess()
and use CreateDekstop() to create a desktop. The impersonation must be
done
because CreateDesktop has not parameter for window station :

HDESK CreateDesktop(
LPCTSTR lpszDesktop,
LPCTSTR lpszDevice,
LPDEVMODE pDevmode,
DWORD dwFlags,
ACCESS_MASK dwDesiredAccess,
LPSECURITY_ATTRIBUTES lpsa
);

Win32k.sys use internally the window station attached to current process.
After have created the desktop, I launch the GUI process with
CreateProsessAsUser and specify the newly created desktop. That works very
fine on old NT kernel (XP, 2003, ...). But with Vista, the service runs in
another session (Session ID 0). The session is not depend on process but
security context (aka, token attached to the process). As no API exists to
create a deskop in a specific session, I tried to change the session Id of
the service process token (SYSTEM) after have duplicate it. But this means
failed (using SetTokenInformation with TokenSessionId parameter). I also
tried to impersonate a logged user but without good results. My question
is
simple : how a process which runs in Session N can create a desktop in
another session M ? A workaround is, from the service (Session N), to
create
a process with a security context associated with the session M and
delegate
to this new process the desktop creation. But this is strange that no API
exists to create a desktop in another session.

Do not hesitate to ask me for more informations.
Thanks very much for you response.

Best regards.

"David J. Craig" wrote:


Restate your problem. Include minor details such as compiler used, SDK
version, OS (including 32 or 64 bit), and how the process is created.

"BT" <BT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:71ACD29C-0EB1-43A2-8193-2DD42890DF74@xxxxxxxxxxxxxxxx

Thanks for you response, but it just works when a process A start
another
process B in another desktop but in the same session. If session is
different, it is impossible to create a desktop in the WinSta0 of the
other
session. The OpenWindowStation() does not work to open station on
another
session, event if object manager namespace like name '<depend on
system>\Session 1\WinSta0' is used.

Sorry, but this response dos not answer to my question.
Thanks very much for your response.

"Kellie Fitton" wrote:


On Sep 13, 9:58 am, BT <B...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

From a processus running in SYSTEM security context and Session 0,
how
can I
create a desktop on another Session. It seems that API like
OpenWindowStation() and CreateDekstop() apply always on the
processus
session
even if a duplicated secuirty token with other session number is
used
as
impersonation. For instance, I use a security token with session 1
but
desktop creation continue to apply on session 0. Create a new deskop
and ACL
it from session 0 to another session is not a potential security
risk.

If this question is out of subject here, could you tell me where I
can
post
this question.

Thanks.


Hi,

The following weblink should give you some pointers:

http://msdn2.microsoft.com/en-us/library/Aa379608.aspx

Kellie.









.

Relevant Pages

  • Re: Desktop Creation
    ... If I must store a secret I use CryptProtectDataAPI. ... But I don't understand what the resource creation is a potential security ... CreateDekstopuse the attached window station of the processus that call ... session 1 and communicate with an IPC with the SYSTEM service. ...
    (microsoft.public.win32.programmer.kernel)
  • WTSQuerySessionInformation() - memory leak on WinXP/2K3
    ... I have some code in an application that makes use of the WTS*API ... The memory leak appears to be occurring within WTSQuerySessionInformation ... session id specified is the console or for a non-existent ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Desktop Creation
    ... Your statement only gives one small piece of the security picture. ... The reason for no desktop window access by services is that an unsecured ... session 1 and communicate with an IPC with the SYSTEM service. ... API evolution. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Interactive user name?
    ... - no (LSA doesn't know about terminals, ... log into the system get a Terminal Services session, ... create a new "logon session", same as if you were running the telnet ... Retrieving the user's name or token using the Terminal Services API ...
    (microsoft.public.win32.programmer.networks)
  • Re: Mapping network resources from a service
    ... > stations and desktops. ... I think I need to create a new windows station for each ... its own separate session id. ... so the TS session & security context represent the same boundary as ...
    (microsoft.public.win32.programmer.kernel)