Service needs to spawn non-interactive child process, but fails with "Access denied"

Question

First off, I'm not trying to interact with the desktop in any kind.

What I'm trying to do is to separate concerns. I have a service that runs under the local system account (LSA). Sometimes, I need to execute processes under a different account.

I am using System.Diagnostics.Process for this. This is what I have tried with so far:

Running the service app as an ordinary desktop app, launching the child process under the same account: works
Running the service app as an ordinary desktop app, launching the child process under another account: works
Running the service as a service app (as LSA), launching the child process under the same account (LSA): works
Running the service as a service app (as LSA), launching the child process under another account: does not work

The case that does not work for me throws me a Win32Exception with "Access denied." I have granted the user account in question the right to log on as a service, but it does not make any difference.

For fun, I have also tried these scenarios:

If I run the service under my own dev account (let's call it Developer), and tries to start the child process under the less privileged account (let's call it ServiceAccount), process.Start() does not throw, and returns true, but I never see any process being started in the Sys Internal's Process Explorer, and Process.Exited is fired immediately.
If I run the service under ServiceAccount, and starts the child process under the same account (ServiceAccount), it works as expected.

This is the code I'm working with:

var pi = new ProcessStartInfo {
    CreateNoWindow = true,
    WindowStyle = ProcessWindowStyle.Hidden,
    UseShellExecute = false,
    ErrorDialog = false,
    RedirectStandardError = false,
    RedirectStandardInput = false,
    RedirectStandardOutput = false,
    FileName = @"C:\Path\To\SomeApplication.exe",
    Arguments = @"Some arguments",
    UserName = "SomeUserName",
    Domain = "SomeDomain",
    Password = SecureStringUtils.Convert("SomePassword")
};

var process = new Process();
process.StartInfo = pi;
process.Start(); // Throws when run as a service

Any ideas?

Have you tried running your service as an administrator for testing purposes? The point being to verify whether this is purely a permissions problem, or if you are running into something more complex? — Scrappydog, May 29 '12 at 19:41
My dev account is an administrator account, and it didn't throw, but it didn't spawn the process. — Jörgen Sigvardsson, May 29 '12 at 19:59

score 4 · Accepted Answer · edited May 23 '17 at 11:59

4

I finally found this: Using Process.Start() to start a process as a different user from within a Windows Service, and it solves my problem. Granted, the code provided in the answer needs a ton of polishing, but it does seem to fix my problem.

edited May 23 '17 at 11:59

Community

1
1

answered May 29 '12 at 20:03

Jörgen Sigvardsson

4,839
3
28
51

Service needs to spawn non-interactive child process, but fails with "Access denied"

1 Answers1