为什么一定要用CreateProcess()呢?
可以直接在Service中访问网络资源.
希望你能耐心读完以下文章
"Why Do Certain Win32 Technologies Misbehave
in Windows NT Services?" extracted from MSDN尤其关注以下部分:The System account is a special account known only locally to your machine. This means that this account cannot be used to access network resources relying on NT LAN Manager (NTLM) authentication. these resources include file shares, named pipes, the registry, and access to a remote computer's eventlog or Service Control Manager. Why isn't this possible?
NTLM authentication is based on encrypted credentials containing a username and password. If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials. When the system attempts to access a secured network resource based on NULL credentials, this is referred to as a NULL session. Access is only allowed if the remote machine allows NULL session access. This is configurable through the registry. (See Knowledge Base article Q122702 for more information.) the only other workaround would be to impersonate a user with valid credentials or use a service account that has access to the secured network resource. Winsock and NetBIOS are not secured NTLM resources, so they don't run into the above security restriction.
所以以下两个方法也许可以解决你的问题
1)可以在NT Service中直接使用Winsock and NetBIOS访问
secured network resource
2)impersonate a user with valid credentials or use a service account that has access to the secured network resource
可以直接在Service中访问网络资源.
希望你能耐心读完以下文章
"Why Do Certain Win32 Technologies Misbehave
in Windows NT Services?" extracted from MSDN尤其关注以下部分:The System account is a special account known only locally to your machine. This means that this account cannot be used to access network resources relying on NT LAN Manager (NTLM) authentication. these resources include file shares, named pipes, the registry, and access to a remote computer's eventlog or Service Control Manager. Why isn't this possible?
NTLM authentication is based on encrypted credentials containing a username and password. If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials. When the system attempts to access a secured network resource based on NULL credentials, this is referred to as a NULL session. Access is only allowed if the remote machine allows NULL session access. This is configurable through the registry. (See Knowledge Base article Q122702 for more information.) the only other workaround would be to impersonate a user with valid credentials or use a service account that has access to the secured network resource. Winsock and NetBIOS are not secured NTLM resources, so they don't run into the above security restriction.
所以以下两个方法也许可以解决你的问题
1)可以在NT Service中直接使用Winsock and NetBIOS访问
secured network resource
2)impersonate a user with valid credentials or use a service account that has access to the secured network resource
if(!LogonUser("administrator",".","syh",LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,&hToken))
{
SysLogPrintf(LOGFILENAME,"DEBUG","get process tok err\r\n" );
}
else
{
if(!ImpersonateLoggedOnUser(hToken))
{
SysLogPrintf(LOGFILENAME,"DEBUG","impersonate tok err\r\n" );
}
else
{
SysLogPrintf(LOGFILENAME,"DEBUG","impersonate tok suc\r\n" );
}}
这个是在B进程里边的代码,A进程是sevice,然后用createprocess调起b进程,发现logonuser 和impersonate成功,但访问网络还是acces is denial然后,如果B进程独立运行,LononUser失败,错误码是:1314,A required privilege is not held,烦...,救命...
我刚才试了试,第二种方法可行!
我写了个例子, 在service中调用CreateProcessAsUser启动
另一个程序B(Netwatch.exe),在B中访问网上共享资源.
不过,为了在桌面上看到Netwatch.exe的执行,我的Service例子设置为
具有和桌面交互的能力(SERVICE_INTERACTIVE_PROCESS)
通过SCM也可设置.以下代码取自Service Body主程序:
BOOL bContinue = TRUE;
HANDLE hToken;if(!LogonUser("administrator",
".", //domain
"xxx", //password
LOGON32_LOGON_INTERACTIVE, //不用LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,&hToken))
{
Beep(3000,1000);
bContinue = FALSE;
}if(bContinue)
{
if(!ImpersonateLoggedOnUser(hToken))
{
Beep(3000,1000);
bContinue = FALSE;
}
}if(bContinue)
{
STARTUPINFO si;
PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
BOOL bRes= CreateProcessAsUser(
hToken,
"e:\\tool\\Netwatch.exe", // name of executable module
NULL, // command line string
NULL, // SD
NULL, // SD
FALSE, // handle inheritance option
NORMAL_PRIORITY_CLASS, // creation flags
NULL, // new environment block
NULL, // current directory name
&si, // startup information
&pi // process information
);
}RevertToSelf();
HOWTO: Accessing Network Files from IIS Applications
NOTE*** Do not forget that you can prevent network access for anonymous requests where password synchronization is disabled and requests authenticated using basic authentication (clear text logons) by setting the LogonMethod metabase property to 2 (indicating that a network logon will be used to create the impersonation token). With this setting the only way possible for requests to get around the network token limitation would be to connect to NullSessionShares or NullSessionPipes. Make sure that you do not use drive letters mapped to network shares. Not only are there only 26 potential driver letters to choose from, but trying to use a drive letter that was mapped in a different security context can cause problems. Instead you should always use Universal Naming Convention (UNC) names to access resources. The format should look something like the following:
\\MyServer\filesharename\directoryname\filename
The information in this article pertains only to Internet Information Server 4.0. In Internet Information Server 5.0 (shipping with Windows 2000) there will be significant changes in regards to new authentication types and capabilities. Although most of the concepts in this article still apply to IIS 5.0, the details on the sorts of impersonation tokens generated with certain authentication schemes in this article apply strictly to IIS 4.0.If you are having problems trying to determine what sort of logon is occurring on your IIS server to handle requests, you can turn on auditing for Logons and Logoffs to help you do this. In the User Manager navigate to Policies, point to Audit, choose the Audit These Events option and then select the Logon and Logoff options. Event Log entries will be added under the Security Log. You can determine the kind of logon by looking at the event details under the Logon Type:
2=Interactive
3=Network
4=Batch
5=Service
Do not forget that you can prevent network access for anonymous
requests where password synchronization is disabled and requests
authenticated using basic authentication (clear text logons) by
setting the LogonMethod metabase property to 2 (indicating that a
network logon will be used to create the impersonation token). With
this setting the only way possible for requests to get around the
network token limitation would be to connect to NullSessionShares
or NullSessionPipes. Make sure that you do not use drive letters mapped to network shares. Not only are there only 26 potential
driver letters to choose from, but trying to use a drive letter that was mapped in a different security context can cause problems.
Instead you should always use Universal Naming Convention (UNC)
names to access resources. The format should look something like the following:\\MyServer\filesharename\directoryname\filenameThe information in this article pertains only to Internet Information Server 4.0. In Internet Information Server 5.0 (shipping with
Windows 2000) there will be significant changes in regards to new authentication types and capabilities. Although most of the
concepts in this article still apply to IIS 5.0, the details on the
sorts of impersonation tokens generated with certain
authentication schemes in this article apply strictly to IIS 4.0.If
you are having problems trying to determine what sort of logon is occurring on your IIS server to handle requests, you can turn on auditing for Logons and Logoffs to help you do this. In the User
Manager navigate to Policies, point to Audit, choose the Audit These Events option and then select the Logon and Logoff options.
Event Log entries will be added under the Security Log. You can determine the kind of logon by looking at the event details under
the Logon Type: 2=Interactive3=Network4=Batch5=Service
Top
token不能通过网络访问资源,但LOGON32_LOGON_INTERACTIVE可以.Network tokens are NOT allowed to access network resources
Interactive tokens are allowed to access resources across the network. LogonUser("administrator",
".", //domain
"xxx", //password
LOGON32_LOGON_INTERACTIVE, //不用LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,&hToken))