0

Have found lots of answers here, but rarely have to ask a question myself. Hopefully I'm in the right place.

I am trying to launch a spawned process from within c# using the code here Start a .Net Process as a Different User. Basically have a "launcher" process virtually identical to the code in the link except I wrapped it in a try/catch that starts a spawned process as a different user. It seems to work ok when I run from the command line, switches the user id, etc..., which I have verified by having the spawned process report it's credentials to stdout.

The problem is I want to run the launcher itself from a process that runs as NT Authority\SYSTEM (commercial product that allows running external process, so the credentials/permissions are downgraded and I can make SSH connections to another system as a specific user) and when I do that, it is getting an Access Denied exception when the proc.start() call is made. I have checked the permissions and even tried opening them up completely wide open, but still the same result. I've put a sleep() in the launcher program and had my service launch it so I could attached the debugger and it is definitely access denied exception trying to run the start method to spawn the child. Found this one Access Denied when executing Process.Start from Windows Service which seems similar, but it's not answered after so many years and I can't comment...not enough rep yet...;)

Is there something special about parent processes running as NT Authority\SYSTEM that the method documented in the link misses? Any thoughts/pointers would be much appreciated.

RichB
  • 11
  • `Process` uses `CreateProcessWithLogonW` under the hood. Per [the docs](https://msdn.microsoft.com/library/windows/desktop/ms682431): "You cannot call `CreateProcessWithLogonW` from a process that is running under the "LocalSystem" account, because the function uses the logon SID in the caller token, and the token for the "LocalSystem" account does not contain this SID. As an alternative, use the `CreateProcessAsUser` and `LogonUser` functions." I have no ready-to-go samples for that, though. – Jeroen Mostert Mar 29 '18 at 22:31
  • There is, incidentally, no good excuse for a third-party application running as local system -- it makes it impossible to properly assign permissions and makes troubleshooting (and mitigating!) security problems much harder. It should run under a local account specific to that application (if it's a service, you can use a virtual service account so you don't have to manage the password), which can be added to the local administrator group (if absolutely required). Do that and as a bonus `Process.Start` will start working again too. – Jeroen Mostert Mar 29 '18 at 22:38
  • Thanks Jeroen, I knew there had to be something deeper happening. BTW, I agree 100% with your second comment, unfortunately not in a position to force my opinion on that point. – RichB Mar 29 '18 at 23:39

1 Answers1

0

As per Jeroen's comment on the original question, this cannot be done from a service running as NT Authority\SYSTEM using the Process class. Use CreateProcessAsUser (link to docs in the comment) or re-arrange your environment to avoid the problem with Process.

RichB
  • 11