Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Mon, 14 Apr 2008 07:12:00 -0700,    group: microsoft.public.platformsdk.security        back       


SHFileOperation Problem    
Hello,

I have a service application running under the "Local System" account. This 
service can receive a command to run a set of batch operations (on my case, 
collecting log files of the system). A file with a known name is created and 
I will need to send this file to a shared network folder. I understand the 
"Local System" account doesn't have network rights.

What can I do to copy a file from the local machine to a shared network 
folder using the "Local System" account? I've been trying to use 
"CreateProcessAsUser" with no avail..

Any ideas on the subject?

Thank you,
date: Mon, 14 Apr 2008 07:12:00 -0700   author:   Marcelo Grossi Marcelo

Re: SHFileOperation Problem    
On Apr 14, 7:12 am, Marcelo Grossi <Marcelo
Gro...@discussions.microsoft.com> wrote:
> Hello,
>
> I have a service application running under the "Local System" account. This
> service can receive a command to run a set of batch operations (on my case> collecting log files of the system). A file with a known name is created and
> I will need to send this file to a shared network folder. I understand the> "Local System" account doesn't have network rights.
>
> What can I do to copy a file from the local machine to a shared network
> folder using the "Local System" account? I've been trying to use
> "CreateProcessAsUser" with no avail..
>
> Any ideas on the subject?
>
> Thank you,


Hi,

If you have access rights to the network resources, you can
access the network server and perform your operation.  Also,
in a service process you can only access the network drives
via the UNC path, you can use the following API to access the
shared hard drives on the remote server machine:

	WNetGetUniversalName()	UNIVERSAL_NAME_INFO_LEVEL

Now, the LocalSystem account does not have network credentials, and
explicitly denied any access to the UNC names. So, you need to use
a network service or a designated user account to access the network,
you can use the following APIs to accomplish that:

	LogonUserEx()

	ImpersonateLoggedOnUser()

	CreateEnvironmentBlock()

	GetUserProfileDirectory()

	LoadUserProfile()

	CreateProcessAsUser()

	...........................................................................	DestroyEnvironmentBlock()

	UnloadUserProfile()

	RevertToSelf()

	CloseHandle()

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q180362

http://msdn2.microsoft.com/en-us/library/Aa385413.aspx

http://msdn2.microsoft.com/en-us/library/Aa385474.aspx

http://msdn2.microsoft.com/En-US/library/aa378189.aspx

http://msdn2.microsoft.com/en-US/library/aa378612.aspx

http://msdn2.microsoft.com/En-US/library/aa373491.aspx

http://msdn2.microsoft.com/en-us/library/aa373772.aspx

http://msdn2.microsoft.com/En-US/library/aa374341.aspx

http://msdn2.microsoft.com/en-us/library/ms682429.aspx

http://msdn2.microsoft.com/en-US/library/aa373501.aspx

http://msdn2.microsoft.com/en-US/library/aa375098.aspx

http://msdn2.microsoft.com/en-us/library/aa379317.aspx

http://msdn2.microsoft.com/en-us/library/ms724211.aspx

Kellie.
date: Mon, 14 Apr 2008 13:00:01 -0700 (PDT)   author:   Kellie Fitton

Re: SHFileOperation Problem    
Hello Kellie,

First of all, thank you very much for your comprehensive reply!

I've been trying to have this work for a few hours now and don't seem to be 
able to. Here is what I've got so far:

  - LogonUserEx - OK
  - ImpersonateLoggedOnUser - OK
  - CreateProcessAsUser - "Client privileges not held" error

  What I've been struggling with is on how to give the required privileges 
to the user token. As I understand I need the following privileges/rights on 
the user access token for the CreateProcessAsUser() function to work:
  
  - TOKEN_QUERY
  - TOKEN_DUPLICATE
  - TOKEN_ASSIGN_PRIMARY

  And the process that calls the CreateProcessAsUser() must have the 
following privileges:

  - SE_ASSIGNPRIMARYTOKEN_NAME
  - SE_INCREASE_QUOTA_NAME

  Now, the latter privileges I can definetly manage easily but I couldn't 
find any way to give my Token (the one that I got as a result of the 
LogonUserEx function) the required access rights  (Query, Duplicate and 
Assign Primary..) to be able to call the CreateProcessAsUser() function.

  I'm sorry this newb post of mine but I really don't have any experience in 
dealing with the Windows Security System. So I'm struggling quite a bit on 
this area...

  Thanks again for all the help,

  Marcelo Grossi
date: Tue, 15 Apr 2008 06:45:01 -0700   author:   Marcelo Grossi

Re: SHFileOperation Problem    
On Apr 15, 6:45 am, Marcelo Grossi
 wrote:
> Hello Kellie,
>
> First of all, thank you very much for your comprehensive reply!
>
> I've been trying to have this work for a few hours now and don't seem to be
> able to. Here is what I've got so far:
>
>   - LogonUserEx - OK
>   - ImpersonateLoggedOnUser - OK
>   - CreateProcessAsUser - "Client privileges not held" error
>
>   What I've been struggling with is on how to give the required privileges
> to the user token. As I understand I need the following privileges/rights on
> the user access token for the CreateProcessAsUser() function to work:
>
>   - TOKEN_QUERY
>   - TOKEN_DUPLICATE
>   - TOKEN_ASSIGN_PRIMARY
>
>   And the process that calls the CreateProcessAsUser() must have the
> following privileges:
>
>   - SE_ASSIGNPRIMARYTOKEN_NAME
>   - SE_INCREASE_QUOTA_NAME
>
>   Now, the latter privileges I can definetly manage easily but I couldn't
> find any way to give my Token (the one that I got as a result of the
> LogonUserEx function) the required access rights  (Query, Duplicate and
> Assign Primary..) to be able to call the CreateProcessAsUser() function.
>
>   I'm sorry this newb post of mine but I really don't have any experience in
> dealing with the Windows Security System. So I'm struggling quite a bit on> this area...
>
>   Thanks again for all the help,
>
>   Marcelo Grossi


Hi,

Well, another option is using the API  CreateProcessWithLogonW(),
this would spawn your application in the correct security context,
and the function does exactly the same thing as LogonUserEx() and
CreateProcessAsUser() and does not require any special privileges.

Just make sure that the user account you specify is allowed to login
interactively to your machine, you check that in the domain/local
policies.

http://msdn2.microsoft.com/en-us/library/ms682431(VS.85).aspx?s=1

Kellie.
date: Tue, 15 Apr 2008 12:48:36 -0700 (PDT)   author:   Kellie Fitton

Re: SHFileOperation Problem    
Hello Kellie,

Thanks again for the great responde! One more question, is there a 'default' 
user that I could use for this task without the need to create a new one just 
to copy files from teh TEMP folder of my machine to a fully shared remote 
folder?
I know that "Network Service" user is availiable but I don't know if it can 
be used on this function you gave me because it's an NT AUTHORITY...

Thanks again!

Marcelo Grossi

> Hi,
> 
> Well, another option is using the API  CreateProcessWithLogonW(),
> this would spawn your application in the correct security context,
> and the function does exactly the same thing as LogonUserEx() and
> CreateProcessAsUser() and does not require any special privileges.
> 
> Just make sure that the user account you specify is allowed to login
> interactively to your machine, you check that in the domain/local
> policies.
> 
> http://msdn2.microsoft.com/en-us/library/ms682431(VS.85).aspx?s=1
> 
> Kellie.
date: Wed, 16 Apr 2008 05:06:01 -0700   author:   Marcelo Grossi

Re: SHFileOperation Problem    
On Apr 16, 5:06 am, Marcelo Grossi
 wrote:
> Hello Kellie,
>
> Thanks again for the great responde! One more question, is there a 'default'
> user that I could use for this task without the need to create a new one just
> to copy files from teh TEMP folder of my machine to a fully shared remote
> folder?
> I know that "Network Service" user is availiable but I don't know if it can
> be used on this function you gave me because it's an NT AUTHORITY...
>
> Thanks again!
>
> Marcelo Grossi
>


Hi,

The default security descriptors of harddisk drives are very
restrictive towards non-admin users, admins and system
administrator are allowed full control.  An NT service process
requires the permission  FileIOPermission  that controls the
ability to access files and folders on the target drive.

Kellie.
date: Wed, 16 Apr 2008 13:19:50 -0700 (PDT)   author:   Kellie Fitton

Re: SHFileOperation Problem    
Hello Hellie,

Thank you for all your help but this is not giving me the results I need. 
And after so much effort I have to admit I'm quite disapointed at MSFT on 
this one that something as simple as copying from a temp folder to network 
location be so difficult.
I hope they can improve this in the future. I've decived to workaround the 
problem instead of solving it.

Thanks again for all the help,

Marcelo Grossi

"Kellie Fitton" wrote:

> On Apr 16, 5:06 am, Marcelo Grossi
>  wrote:
> > Hello Kellie,
> >
> > Thanks again for the great responde! One more question, is there a 'default'
> > user that I could use for this task without the need to create a new one just
> > to copy files from teh TEMP folder of my machine to a fully shared remote
> > folder?
> > I know that "Network Service" user is availiable but I don't know if it can
> > be used on this function you gave me because it's an NT AUTHORITY...
> >
> > Thanks again!
> >
> > Marcelo Grossi
> >
> 
> 
> Hi,
> 
> The default security descriptors of harddisk drives are very
> restrictive towards non-admin users, admins and system
> administrator are allowed full control.  An NT service process
> requires the permission  FileIOPermission  that controls the
> ability to access files and folders on the target drive.
> 
> Kellie.
> 
>
date: Thu, 17 Apr 2008 01:26:00 -0700   author:   Marcelo Grossi

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us