Re: Getting logged in user from a service?

"Larry Smith" <no_spam@xxxxxxxxxxx> wrote in message news:OSBya85pHHA.4188@xxxxxxxxxxxxxxxxxxxxxxx
news:e3dxMO5pHHA.4532@xxxxxxxxxxxxxxxxxxxxxxx
CLR and the .NET Framework is all about. If you are coding directly against the OS services (that is, by directly calling WIN32 Api's) you have to consider a lot of things at "development" time, things like - is the API available on the *target* machine? - What are the security constraints, what privileges are there required to call these API when running as say "Local Service"? Can the API access a remote server instance? Most of these things are taken care of by the framework and it's underlying services, whatever these are, and in this particular case the underlying service is native WMI in top of Win32.

I don't see how using .NET Framework exempts you from worrying about security constraints, privileges, etc. It might automatically enable a held privilege in your token, that's about it.



No, the system.Management classes (and this is what we are talking about here) and WMI makes it possible to call OS services without YOU having the need to run with these elevated privileges.

Can you cite an example since this appears to defy standard Windows security (if I understand you correctly).



Not at all, WMI is client/server based using DCOM, you call a service and the service executes the service call, when WMI needs to "enable" a privilege (note that I said 'enable'), it' s up to the caller to ask the service to enable the required (whatever this one may be)privilege, the user doesn't need to know the "privilege" required, WMI know which one as it's stored in it's metabase.
In the exceptional case (there are only a few) that a call requires a privilege that is not held by the WMI account (say "Network Service"), then it's up to the caller to run as a more privileged user (or get a stronger logon token) and ask WMI to impersonate when executing the service call.


Willy.

.

Relevant Pages

  • Re: Getting logged in user from a service?
    ... the service executes the service call, when WMI needs to "enable" a privilege, it' s up to the caller to ask the service to enable the required privilege, the user doesn't need to know the "privilege" required, WMI know which one as it's stored in it's metabase. ... All WMI's security levels are highly customizable, the namespaces are all protected by DACL's you can adjust, you can prevent certain user to access, read, write, execute etc...it's namespaces, if a user is allowed to execute a method, WMI will simply enable or add the privilege when needed on a per call basis. ... Some classes and methods need an impersonation token from the base client, if the token holds a needed privilege to execute or access a namespace class, WMI enables this privilege, when the token misses the privilege, the call fails. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Getting logged in user from a service?
    ... the service executes the service call, when WMI needs to "enable" a ... privilege, it' s up to the caller to ask the ... user doesn't need to know the "privilege" required, WMI know which one as ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Set previlege with Windows Management
    ... setting EnablePrivilege to "true" should 'enable' all privileges ... required to execute a specific WMI class methods. ... Note that the principal must have been granted the required privilege (see ... PS.Please post System.Management (WMI) related questions to ...
    (microsoft.public.dotnet.general)
  • Re: Set previlege with Windows Management
    ... > required to execute a specific WMI class methods. ... > PS.Please post System.Management related questions to ... >> include the RemoteShutdown privilege when connecting to WMI. ... >> control the shutdown behavior. ...
    (microsoft.public.dotnet.general)