How can a Windows service run a GUI application?

Question

How can a Windows service run a GUI application?

I wrote a Windows service that allows you to remotely start and stop applications. These applications are launched using CreateProcess, and this works for me, because most of them only do backend processing. Recently, I need to run applications that present a GUI for the current user in the log. How to make C ++ code so that my service can find the current active desktop and start the GUI?

+41

c ++ winapi windows-services

sep Nov 06 '08 at 7:15

source share

9 answers

The short answer is, “You don’t,” since opening a GUI program running under a different user context is a security vulnerability commonly called Shatter Attack .

Take a look at this MSDN article: Interactive Services . It provides some service options for user interaction.

In short, you have the following options:

Display the dialog box in the user session using the WTSSendMessage function.
Create a separate hidden GUI application and use the CreateProcessAsUser function to launch the application in the context of an interactive user. Create a GUI application to communicate with the service through some interprocess communication (IPC) method, such as named pipes. The service contacts the GUI application to report this when displaying the graphical user interface. The application associates the results of user interaction with the service so that the service can take appropriate action. Please note that IPC may disclose your service interfaces over the network if you do not use an appropriate access control list (ACL).
If this service runs on a multi-user system, add the application to the following key so that it runs in each session: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run. If an application uses named pipes for IPC, the server can distinguish between several user processes, providing each channel with a unique name based on the session identifier.

+16

mlarsen Nov 06 '08 at 8:05

source share

WTSEnumerateSessions and CreateProcessAsUser.

+6

Roger Lipscombe Nov 06 '08 at 7:23

source share

Several people suggested WTSEnumerateSessions and CreateProcessAsUser. I wonder why no one suggested WTSGetActiveConsoleSessionId, as you said that you want to target only one registered user.

Some people are sure that they have the right to offer CreateProcessAsUser. If you name the simple old CreateProcess as you said, then the GUI of the application will start with your service privileges, and not with user rights.

+5

Windows programmer Nov 06 '08 at 7:51

source share

These are problems. Session 0, Interactive Services, Windows Service allows desktop service on Windows 7 or Windows Vista p>

You can read this article http://www.codeproject.com/KB/vista-security/SubvertingVistaUAC.aspx

I will try to explain here how it works with Windows 7

+2

Mehmet Taskopru Apr 7 '10 at 7:44

source share

In Win2K, XP, and Win2K3, the console user enters session 0, the same session in which the services live. If the service is configured as interactive, it will be able to display the user interface on the user's desktop.

However, in Vista, no user can be logged in to session 0. Displaying the user interface from a service is a bit more complicated. You need to list active sessions using the WTSEnumerateSessions API, find a console session, and create a process as this user. Of course, for this you also need tokens or user credentials. You can read more about this process here .

+1

Franci Penov Nov 06 '08 at 7:40

source share

I think that as long as you have only one user, it will automatically be displayed on this user's desktop.

In any case, be very careful when starting the exe service.

If write access to the folder with exe is not limited, any user can replace this exe with any other program, which will then be launched with sytem rights. Take, for example, cmd.exe (available for all window systems). The next time the service tries to start exe, you will get a shell with system rights ...

0

Treb Nov 06 '08 at 7:24

source share

If you start the graphical interface from your service, it will appear on the current desktop.

But only if you have configured service permissions: you need to be allowed to interact with the desktop .

0

mkoeller Nov 06 '08 at 7:31

source share

Important services cannot interact directly with a user with Windows Vista. Therefore, the methods mentioned in the Using the Interactive Service section should not be used in the new code.

This is taken from: http://msdn.microsoft.com/en-us/library/ms683502(VS.85).aspx

0

Stéphane Feb 19 '09 at 20:50

source share

mdb · Accepted Answer · 2008-11-06 07:36

Roger Lipscomb's answer to use WTSEnumerateSessions to find the desktop you want, then CreateProcessAsUser to run the application on that desktop (you pass it the desktop descriptor as part of the structure

But most importantly, if the application suddenly appears on the user's desktop, it can happen in a very difficult time (either because the user simply does not expect this, or because you are trying to start the application when the session has not yet been initialized, in the process of shutting down or something else).

A more common approach would be to place a shortcut for a small client application for your service in a global startup group. This application will be launched along with each user session and can be used to launch other applications (if necessary) without any manipulation of user credentials, sessions and / or desktops.

In addition, this shortcut can be moved / disabled by administrators as desired, which will greatly simplify the deployment of your application, since it does not deviate from the standards used by other Windows applications ...

How can a Windows service run a GUI application?

More articles: