I am creating a service that access a folder path:
string localAppDataFolderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
Unfortunately, the folder returned is not:
C:\Users\mainuser\AppData\Local
... but:
C:\Windows\system32\config\systemprofile\AppData\Local
...instead.
mainuser is the user that is currently logged in. Is it possible for service to launch a program that is placed in current users AppData\Local? I am aware that you can go to Services-> Right click Properties-> Log on and type in password and account name, but I am looking for a programmatic solution, ideally using sc create command.
Alternatively, I can move all folders in interest to C:\ProgramData and completely avoid current user. Is there a way to keep the files in users AppData\Local and use programmatic solution without password?
In short, Services don't (and shouldn't) launch programs for users or access user information in general (unless they run as the specified user). They are agnostic of users and their profiles, their use-case is to run as part of the system
If you want to run an application when a user logs on, either use a group policy, or add it to the user settings to run on startup. If need be, set this up in the installer
This is the way every service works, and the norm for windows for a long time (with the exception of drivers)
Related
I have an application that needs read/write access to a network folder that the user doesn't (and shouldn't) have access to. I am able to access the folder using several different methods including
NetworkCredential via System.Net and
WNetAddConnection2 via the DllImport("mpr.dll")
No matter what method I use, when the application accesses the folder, the user is able to browse to the folder via Window->Explorer, even though the user doesn't (and more important, shouldn't) have credentials to access that network folder.
Is there a way I can allow network access to a folder for my application without enabling access to that same folder for the current user via Windows->Explorer?
Once the application closes, the user no longer has access to the network folder (although this takes a minute or so).
Thanks,
If you want to make the program have different access than the currently logged in user, it must be run via different credentials than the currently logged in user.
There are a couple of ways to achieve this, none of which are particularly easy.
You could allow the program to run via and only via the Run as Administrator option, requiring an administrator to start the program each time it needs to be run.
You could write a program to launch your program via Process.Start and set the user via the ProcessStartInfo argument. This will only work if your program knows the username and password of the desired account, and may present a security risk as this can be decompiled and read without proper obfuscation.
The next option is to create and install a windows Service which provides the read/write functionality your program needs via some form of IPC, such as a WCF service. This would allow you to set the Service up to start and operate as an administrator, while the program itself is able to run using user credentials.
I'm working on a WPF application right now in C#, and I need to be able to save some images. These images need to be saved into a directory that the user that's currently logged in doesn't have access to without some administrative privileges (essentially, to control the security on what images are being saved to that directory).
How can I set up such security permissions? Is there some directory that I can add subdirectories to with these images inside?
Normally, I would try to post some code in example to what I have. I'm not entirely sure where to begin with this problem, though.
As Andrew already told in his comment you should really best start with a service. This will run under another account (normally System, but you can change this within the control panel). To start with this a service is in the first step nothing more than any other normal process. So to get a connection between the user application and the service you can use any inter-process communication as you like.
The only difference between a normal application and a service is that the service will be started and managed through the service manager and thous needs to derive from ServiceBase. Also maybe this Walkthrough might help you to start.
Default context for all non-user programs is system which it available to you via service programming and you are not familiar with it. A hack would be logging into another account (i.e administrator) and run the program in that context which is not possible on all windows versions and I believe doesn't worth the resources it cost and also is a security risk.
Another solution would be encrypt your application data and store it somewhere.
I am writing a GUI to configure my service written in C#.NET 3.5, it edits an embedded SQLite database from which the service pulls its settings. The GUI is being developed in a seperate project and I am at the point where I would like to integrate them. It is my first time implementing someting like this and I am unsure how I go about it.
Do I simply place the GUI .exe file in the same directory (bin?) as the service and give it the location of the database?
Yes, usually. You will however have to ask for elevation or you won't be able to write to the dbase. UAC prevents write access to the directories in c:\program files. Which is okayish, the user is after all tinkering with the configuration of a privileged service. And you probably need to stop and start the service to make the configuration change effective, something you can only do from a privileged program. Embed a manifest in gui.exe as explained in this post.
Pre-empting the next question: there is no standard Windows way to have to dbase in a location that's accessible to both the service and your gui without elevation. You'd have to write an installer that creates a directory that gives the gui app sufficient rights and allows the service to find the directory without relying on the user name.
I have an issue with my software installation / first time run on Vista / 7 in relation to the VirtualStore.
My software is written in C#. Installer: NSIS.
My application is installed using NSIS. It runs as administrator
After installation is finished, the user can immediately start the software from the installer.
This results in the first run of the program to be executed as admin.
During the first run, a wizard has to be completed. This wizard will import data from an older version of the software, that is already on the computer (C:\Program Files\OldProgram\Data)
However, on 7/Vista, this data is in the VirtualStore of the user. When I'm admin, I don't "see" this data and I can't convert it.
Questions:
Can I know which user is currently logged in?
Is there a generic way to access the Virtual Store of this user? Taking into account that the "Program Files" folder is named different is some countries and on 64-bits my app sits in "Program Files (x86)".
UserInfo::GetName will give you the username, use UserMgr if you need more control
Windows does not really provide a way to access another users special folders without their token, but this helper macro works in most cases. The name/location of the virtual store is not documented AFAIK so you have to get the closest special folder with GetUserShellFolderFromRegistry and then hardcode the VirtualStore part of the path...
If you want to launch a program as the user and not the administrator performing the install, use the UAC plugin (Or just remove the run checkbox on the finish page and let the user start the program normally)
I have a .Net app that i install and set to run at Startup. The installer also creates a user that has write permissions to the appropriate application folders and registry sections, preventing the currently running user from modifying the restricted areas.
However, i am unable to figure out how to run the application under a different user. It's not a Service (although that is a possibility). I'm really trying to figure out how to do the following:
Start an application on boot as a different user.
Install a service to start on boot, as a different user.
Can anyone point me in the right direction?
Regards
Tris
With respect to services, you specify the user they run as when you install one.
To start an app as someone else, you could create a batch script that launches your app with the RUNAS command, though I believe you are prompted for a password so it may not be what you're after.