|
Running the program as a certain user while another user is working in the system requires a lot
of preparatory operations. They can require an additional process or even an additional service to
be run, depending on the initial conditions (the way of logging on into the system, the active
terminal session, etc.).
Generally, the process of running a program includes the following operations:
Logging on into the system
Depending on the selected way of logging on different privileges should be assigned to the
calling process.
To start process as LocalSystem, the calling process should be running under an account from
Administrators group.
To log on into the system using a username and password, the calling process should have
enough privileges for calling LogonUser API.
To be able to run a program as a user without having the user's password the calling process
should have enough privileges for calling ZwCreateToken/NtCreateToken.
Providing access to WindowStation and Desktop
Before using CreateProcessAsUser/CreateProcessAsUserW API to run the program, you should
allow the user to access WindowStation and Desktop on the selected terminal session. If you do
not do it, the launched program would not be able to initialize and will be terminated with an
error, most likely with a code 0xC0000142 ("The application failed to initialize properly"). This
error occurs when user32.dll cannot get access to WindowStation or Desktop during
initialization. If the program does not need user32.dll to be loaded, it can start and work normally
in any terminal session even if the access to the desktop is forbidden for the user who runs the
program.
RunAsUser DLL uses a complicated algorithm allowing to give the user access to the desktop on
the required terminal session. Depending on the initial conditions this algorithm provides
running additional processes that perform the necessary operations for getting access to the
desktop. The current process with a special command line is used as an additional process. The
RunAsUser_CommandLine()
function is used for processing this command line.
Providing access to WindowStation and Desktop consists in changing the DACL of the necessary
WindowStation and Desktop on the required terminal session, so that the necessary user has full
access to these objects.
Setting the terminal session
Windows Terminal Services allow several users to log in to the system simultaneously. When a
user logs in to the system, the user is given his or her own terminal session, so before calling
CreateProcessAsUser/CreateProcessAsUserW API you should provide that the process is created
in the required session.
Loading the user profile
To load the user profile the program uses functions from userenv.dll. These functions allow
setting the variables of the environment correctly and loading the HKEY_CURRENT_USER
registry key for the specified user.
Running the program
To create a process as a specified user the program uses the CreateProcessAsUser() function.
RunAsUser DLL always uses the UNICODE version of this function - CreateProcessAsUserW -
in both UNICODE and ANSI versions of the library, as CreateProcessAsUserA has some
problems in older version of Windows.
Back to contents
|
