C# run app as different user or schtasks auth - c#

I was hoping I could get some input on the best way to handle authentication for my application. I have a C# form that has three buttons. One button is for querying tasks on a specific server, one button can start a task, and the last button can end a task.
My question involves the best way to do this for multiple users. I know I can add these users to the administrator group on each server but I really don't want to do this because these are all non-admin users. Also, I am running this against 3 different domains and multiple servers with no trusts.
Is there a way to either create a user that I can give admin rights on all of the servers and then run the C# app as this user (could be domain or local) or is there a better way to handle permissions for schtasks without giving admin rights?
I have researched impersonation but I don't think that does what I need unless I missed something.
Thank you,
Matt

You can use the runas command - this lets you set a user name and password to execute the application under.
You will still need to set the link up for each user/computer.

Related

Auto Start WinForms Application With Admin Permissions On Non-Admin Account

I've been wrestling with this issue for a few days and can't find any posts that solve it for me. Maybe what I want isn't possible.
We have developed a WinForms application for internal use at our company.
Most employees do not have admin access in windows.
Our application requires admin access to the machine and needs to automatically start when the user logs on.
Here's what I've tried:
1) Putting a Shortcut in the Startup folder
I can get the app to automatically launch (using a relauncher), but it still requires an admin to be at the computer on every restart (to enter the password).
2) Registry Key
I created a Software\Microsoft\Windows\CurrentVersion\Run registry key to automatically start the application. Whether I run the relauncher or the app itself, UAC demands a password on every restart (or relogin).
3) Scheduled Task
I created a scheduled task to automatically start the app on logon using admin permissions on the machine (under use the following account). I also checked the 'Run with highest privileges' box. UAC still pops up on every restart.
4) Windows Service
I tried to run the app as a windows service, but it has a user interface (which is disabled by windows services).
5) Disable UAC for Specific Program
It looks like you can disable UAC for a specific program but that involves downloading the Application Compatibility Toolkit, creating some kind of database, etc. I'd very much prefer that our IT staff wouldn't have to do that at every machine. At this point, it's probably my only option.
It seems like an admin should be able to install an application so that it runs automatically without a prompt. Am I missing a way to do this?
You should make split your program into a non-admin UI, which runs on user startup, and an admin service, which performs the administrative tasks.
To run admin-requiring code from the UI, use WCF to ask the service to do it.
Beware that hostile parties may impersonate the UI and ask the service to do malicious things; you need to carefully figure out what the service should be able to do in response to IPC calls.
Your problem is not a UAC problem, it is a security problem.
And the answer depends on what your application that "requires admin rights" needs to do.
If your application needs to be able to start, and stop services, then the User needs the ability to start and stop services. In which case you need to give the users that privilege.
If the user's need the ability to alter or delete files, then they need that privilege too. In that case it is easier to grant Full Control permissions to Everyone.
If your application needs the ability to modify registry keys in the HKLM tree then you can, again, grant Full Control to Everyone in the registry.
If you need your users to have the ability to modify items, then they need permissions to modify those locations. Granting them those NTFS permissions is not a bad thing; it is exactly what those permissions exist for - to control access.
But why
But then we ask why? What is it you're doing that users need all the rights of an administrator, and all capabilities of an administrator, all the power of an administrator, but you don't want to make them a member of the Administrator's group?
The answer is almost invariably that your internal use application doesn't need to run as an administrator.
What Would XP Do?
The question becomes:
What would you do on Windows XP?
A standard user on Windows XP didn't even have the UAC convenience feature. If a user wanted to run an application an administrator: they had to logout and login as an administrator. How did, or how would, the application work on a system with UAC disabled?
Presumably very little of your application needs to run as admin - the rest would be better running as the unprivileged user. This is very common (think self-updating browsers, for example).
The proper way to do this is to install a service to do the privileged bit, and have the UI communicate with the service.
Our application requires admin access to the machine ...
Why?
You cannot bypass the UAC prompt, and this is by design.
See FAQ: Why can’t I bypass the UAC prompt? for a good discussion of why. Excerpt:
If it were possible to mark an application to run with silently-elevated privileges, what would become of all those apps out there with LUA bugs? Answer: they'd all be marked to silently elevate. How would future software for Windows be written? Answer: To silently elevate. Nobody would actually fix their apps, and end-user applications will continue to require and run with full administrative permissions unnecessarily.

How to display UI on logon screen in Windows 7

I would like to display an UI that interacts with user on pre-logon screen (the screen where users usually enter their username/password)
I read that the architecture of Winlogon packages has changed and will not help me in Windows 7.
I was referred to use WTS functions, however I am still not clear on how to use them or which ones.
I already created a Service which brings up a notepad.exe (for now), however I need to trigger this Service when user is in pre-logon screen. I am not sure what or how to implement that.
what you are trying to do is use Windows Interactive Logon Architecture
Windows Vista examples here (Credential Providers)
Windows 7 technet article
There's a reason it's HARD to do this kind of thing. Programs are minions of users. Pre-logon, there's (typically) no user to be a minion of. Its a security thing.
Just have your service fire off when a user logs in.
One way to get UI to show up without anybody logged in is to have a login screensaver. Your code (which could be .NET) would run after the timeout up until either you exit or somebody presses Ctrl-Alt-Del.
There are limits to what you can do as a login screensaver, but it may work for you.
From what I understand of your requirement, you want to display a custom user interface at the Credential Provider level. You can achieve this by one of the following approaches:
(1) Write a custom CP that includes your UI as a modal dialog in the SetSelected method of the credential : This approach will allow you to customize any UI. Once the modal window gets dismissed, the actual password CP gets built (assuming you wrap the default password CP).
(2) Launch the application from a Windows Service: This approach will not stop the providers from getting initialized. Basically, the Windows Service is used to launch a process in Winsta0\Winlogon desktop. You can access the process launched using Alt+TAB. Here's the basic steps you would need to use:
WTSGetActiveConsoleSessionId to get the active session ID
WTSQueryUserToken() to get the winlogon pid
DuplicateTokenEx to duplicate the token
Adjust the token privileges by calling AdjustTokenPrivileges
CreateProcessAsUser with lpDesktop as Winsta0\Winlogon
I have used both approaches. The first one is used to introduce more secure login. The second is used to launch remote access tools, cmd prompt etc.

Running a loop of processes that require admin rights

I have an application that does a loop which starts some processes programmatically one by one. My app itself runs under a standard user, but I need to run only those processes as admin so I can install them.
To achieve this, I use the 4th response from this thread
My two questions are:
is that code which is pointed in the above response, supposed to ensure that the process automatically runs as admin, or that the user is shown a dialog where he chooses whether to run as admin or not? I am confused by what this code is supposed to do.
Also, in case a dialog is supposed to be given to the user - how can the app be coded, so that the first user option is remembered in my loop for the next processes started with the verb "runas" ? So basically to store somewhere the user option (run as admin or not) for the other processes.
Thank you in advance
First question: It is how to start an elevated process from a non-elevated one.
Second question: there isn't -- or at least shouldn't! -- be any way for a non-elevated process to elevate anything without a user prompt. The best solution for your program is either to start it off with admin rights, or to use the first elevation request as an opportunity to restart with them (using the technique you linked to).

I want run my function in limited account with administrator permission

I want run my program under a limited user account but with administrator privileges on windows XP.
I can't find an answer. I think I can use two ways:
Run my program by another way like a program or a service
Run my function with some method like PrincipalPermission space or something like this
But I can't solve this problem.
Have you looked at the "runas" command? For example:
C:\> runas /noprofile /netonly /user:MYCOMPUTER\testuser "C:\Program Files\My Special Program\Program.exe"
I want run my program under a
limited user account but with
administrator privileges.
This can't be done. A limited user doesn't have admin privileges. You need to run it as an admin user with, e.g. runas.
One way to solve this is to fragment your program into two parts. One part as a windows service and the one as a user app. You can set the service to run as a Network Service, Local Service or Local System depending the level of access you need. Anything that needs administrator privileges will be performed by the Windows service. The user app can be responsible for showing the user interface and other similar things. You need to have some kind of IPC (Inter process communication) between your applications to facilitate this as well.

which process in windows is user specific?

i wanted to know which process in Windows is user specific, i mean it get created for each user login. i tried explorer.exe but when u switch user and log into new account then it shows old login name in my code. basically i need to just log which user logging when in app.
If all you need to know is which user(s) are using your app, can you just check Environment.UserName when you start your app?
I missed the tag indicating you created a Windows Service. That's a very different type of animal than a regular application, and the advice you receive for one is not necessarily transferable to the other.
Specifically, I notice that you've tagged this question windows-7. If you're trying to run this service under Windows 7, you need to understand a few things about how the model for Windows Services was substantially altered starting with Windows Vista. Specifically, they now run in an isolated session and are prohibited from interacting directly with the user.
Also see my answer here for a better explanation.
The fundamental point is that, from the perspective of a Windows Service, there is no such concept as the currently logged-on user. A Windows Service runs in its own isolated session and is not affiliated with any particular user. That's why the code you found to determine the user associated with a particular process is not working as you expect for a Windows Service. A standard user doesn't own the process running the service. (And replacing your service with an application is also not a viable option, given how I understand your requirements. As I explain here, user-mode applications are started when a particular user logs on and will be closed whenever that user logs off.)
Another problem is that more than one user can be logged in simultaneously to a single workstation. Windows is a thoroughly multi-user operating system, so the best that you can hope for is to enumerate all of the currently logged in users. The NetWkstaUserEnum function will get you that list, but note that it includes all types of logons, including interactive users, services, and batch logons. To call this function from C#, you will need to P/Invoke—you can find information about that over on pinvoke.net.

Categories

Resources