Re: Redirecting sdtin, stdout, stderr from an already running process



ghandi wrote:
I am trying to redirect stdin, stdout, stderr of a process I started
with the win32 call CreateProcessAsUser, since I couldn't find a way
to start a process with .net that used a user name and password and
didn't show any kind of window. The only way I can see to do redirect
the input and output now is to continue to use the win32 API (maybe a
pipe?). Is there a way to do this with .net? Can I get the process
input and output into a stream or something?

Alright, let's restart this one from the top because it's a real hornet's nest. To summarize:

The issue at hand is that we wish to start a process under another user's credentials with redirected I/O, without displaying a new window for that process. Normally, this is accomplished by calling Process.Start() with a ProcessStartInfo structure whose property "CreateNoWindow" is set to true and whose "Redirect*" properties are set to appropriate values. However, setting "CreateNoWindow" has no effect when also setting the "UserName" and "Password" properties. The reason it has no effect is that Process calls CreateProcessWithLogonW() to start the new process, and this function does not support the CREATE_NO_WINDOW flag that "CreateNoWindow" maps to.

One might be tempted to use a combination of LogonUser()/CreateProcessAsUser() instead. This has great problems of its own, however. In order to use CreateProcessAsUser() successfully, the caller must hold the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges. By default, on most systems, the only accounts that hold this privilege are the NetworkService and LocalService accounts. Not even administrators have this privilege by default. CreateProcessAsLogonW() is recommended as the successor to this combination, since it does not require additional privileges.

Moreover, using any of the unmanaged CreateProcess*() functions in combination with I/O redirection is cumbersome. The basic approach is to use inheritable handles anonymous pipes, but there are many pitfalls. The MSDN contains a sample for unmanaged code that clearly demonstrates the difficulties involved: http://support.microsoft.com/kb/q190351/

A much simpler approach is to use impersonation, then use Process to start the process regularly:

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool LogonUser(string lpszUserName, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);

....

const int LOGON32_LOGON_INTERACTIVE = 2;
const int LOGON32_PROVIDER_DEFAULT = 0;
IntPtr userToken;
if (!LogonUser(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out userToken) {
throw new Win32Exception();
}

ProcessStartupInfo startupInfo;
....
startupInfo.RedirectStandardOutput = true;
startupInfo.UseShellExecute = false;
startupInfo.CreateNoWindow = true;

Process process;
using (WindowsIdentity identity = new WindowsIdentity(userToken)) {
using (WindowsImpersonationContext impersonationContext = identity.Impersonate()) {
process = Process.Start(startupInfo);
}
}
Console.WriteLine(process.StandardOutput.ReadToEnd());

This, finally, works on my system. Is it of use to you too?

--
J.
.



Relevant Pages

  • Re: CreateProcessAsUser error "the client does not have the required priviledges"
    ... I understand what you are saying about granting privileges ... on original user but I don't know how to do this. ... use LogonUser again to call CreateProcessAsUser? ...
    (microsoft.public.platformsdk.security)
  • Re: SE_ASSIGNPRIMARYTOKEN_NAME
    ... Please note following lines from CreateProcessAsUser remark section: ... the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and ... SE_INCREASE_QUOTA_NAME privileges. ...
    (microsoft.public.platformsdk.security)
  • Re: SHFileOperation Problem
    ... What I've been struggling with is on how to give the required privileges ... And the process that calls the CreateProcessAsUser() must have the ... LogonUserEx function) the required access rights (Query, ...
    (microsoft.public.platformsdk.security)
  • Named Pipe Impersonation -> CreateProcessAsUser();
    ... of the named pipe. ... create a new process with these nice privileges. ... ConnectNamedPipe<-- yada yada wait for connection ... access, then call CreateProcessAsUser(); ...
    (Vuln-Dev)
  • CreateProcessAsUser (error 1314)
    ... I have a problem with CreateProcessAsUser. ... My application needs to change the privileges to administrator privileges of ... bUserAuth = false; ... ZeroMemory(&si, sizeof(si)); ...
    (microsoft.public.vc.language)