Calling CreateProcessWithLogonW

Discussion in 'ASP .Net Security' started by Benjamin Bittner, Jul 2, 2004.

  1. Hallo NG,
    ive posted this before on microsoft.public.dotnet.framework.aspnet but didnt
    get a response. im stuck with this for a week now. and i think i used every
    possible resource but didnt get it to work.
    ===
    I have problems with calling the CreateProcessWithLogonW() function. I tried
    converting an VB6 example
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;285879) and some
    snippets i found around the web. but i cant get it to work. It tries to
    start the application, but it fails. In my eventlog i can see a new info
    message, everytime i execute my code. i try to translate it, cause i have a
    german windows installed, so it maybe wont be the exact words of the
    original english info message.

    Application popup: some.exe - Error in application: the application couldnt
    be initialized properly (0xc0000142). Click "OK" to exit.
    event-id: 26

    I tried launching notepad.exe, cmd.exe, cscript.exe but everytime the same
    error. What im tryin to achieve is, to execute the vbscript file
    makew3site.vbs from IIS > AdminScripts.

    This is my code:

    Option Strict Off
    Option Explicit On
    Imports System.Runtime.InteropServices

    Public Class WebForm2
    Inherits System.Web.UI.Page

    Protected WithEvents lblTest As System.Web.UI.WebControls.Label

    #Region "Structs"
    <StructLayout(LayoutKind.Sequential)> _
    Public Structure PROCESS_INFORMATION
    Dim hProcess As System.IntPtr
    Dim hThread As System.IntPtr
    Dim dwProcessId As Integer
    Dim dwThreadId As Integer
    End Structure

    <StructLayout(LayoutKind.Sequential)> _
    Public Structure STARTUPINFO
    Dim cb As Integer
    Dim lpReserved As System.IntPtr
    Dim lpDesktop As System.IntPtr
    Dim lpTitle As System.IntPtr
    Dim dwX As Integer
    Dim dwY As Integer
    Dim dwXSize As Integer
    Dim dwYSize As Integer
    Dim dwXCountChars As Integer
    Dim dwYCountChars As Integer
    Dim dwFillAttribute As Integer
    Dim dwFlags As Integer
    Dim wShowWindow As Short
    Dim cbReserved2 As Short
    Dim lpReserved2 As System.IntPtr
    Dim hStdInput As System.IntPtr
    Dim hStdOutput As System.IntPtr
    Dim hStdError As System.IntPtr
    End Structure

    #End Region

    #Region "APIINFO"
    Private Const LOGON_NETCREDENTIALS_ONLY As Integer = &H2
    Private Const NORMAL_PRIORITY_CLASS As Integer = &H20
    Private Const CREATE_DEFAULT_ERROR_MODE As Integer = &H4000000
    Private Const CREATE_NEW_CONSOLE As Integer = &H10
    Private Const CREATE_NEW_PROCESS_GROUP As Integer = &H200
    Private Const LOGON_WITH_PROFILE As Integer = &H1

    Private Declare Unicode Function CreateProcessWithLogon Lib "Advapi32"
    Alias "CreateProcessWithLogonW" _
    (ByVal lpUsername As String, _
    ByVal lpDomain As String, _
    ByVal lpPassword As String, _
    ByVal dwLogonFlags As Integer, _
    ByVal lpApplicationName As String, _
    ByVal lpCommandLine As String, _
    ByVal dwCreationFlags As Integer, _
    ByVal lpEnvironment As System.IntPtr, _
    ByVal lpCurrentDirectory As System.IntPtr, _
    ByRef lpStartupInfo As STARTUPINFO, _
    ByRef lpProcessInfo As PROCESS_INFORMATION) As Integer

    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As
    System.IntPtr) As Integer
    #End Region

    #Region " Vom Web Form Designer generierter Code "

    'Dieser Aufruf ist für den Web Form-Designer erforderlich.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

    End Sub

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
    'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
    'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
    InitializeComponent()
    End Sub

    #End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    Dim szApp As String = "C:\winnt\notepad.exe"
    Dim szCmdLine As String = ""
    Dim szUser As String = "user"
    Dim szPass As String = "password"
    Dim szDomain As String = "TEST"
    Dim siStartup As STARTUPINFO
    Dim piProcess As PROCESS_INFORMATION

    siStartup.cb = Marshal.SizeOf(siStartup)
    siStartup.dwFlags = 0

    Dim ret As Integer = CreateProcessWithLogon(szUser, szDomain,
    szPass, LOGON_WITH_PROFILE, szApp, szCmdLine, _
    CREATE_DEFAULT_ERROR_MODE, _
    IntPtr.Zero, IntPtr.Zero, siStartup, piProcess)

    If ret = 0 Then
    lblTest.Text = New
    System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message
    End If

    CloseHandle(piProcess.hProcess)
    CloseHandle(piProcess.hThread)
    End Sub

    End Class

    I tried many combinations for szApp and szCmdLine, like tryin to give szApp
    a reference to the exe, and szCmdLine the arguments, or leaving szApp empty
    and passing everything woth szCmdLine like this:

    Dim szCmdLine As String = "C:\Winnt\notepad.exe /put params here"

    Also i tried to pass 0& as an integer in szApp, and szCmdLine like the above
    one.
    What i want to do is:

    Dim szApp As String = "C:\Inetpub\AdminScripts\mkw3site.vbs"
    Dim szCmdLine As String = "-r C:\Inetpub\wwwroot\client -t client.test.de -o
    8080"

    Could plz someone help me, im stuck with this for quite some days now, and
    its drivin me nuts.
    thx in advance
    regards benni
    ====
    in addition to that, someone found out that this works on a w2k workstation,
    but doesnt on a w2k server. could someone plz help me, or give me another
    way to contact microsoft directly (i know thats what newsgroups are for, but
    i know that this should work but it doesnt, and i need it really bad)

    thanx for every response
    regards benni
     
    Benjamin Bittner, Jul 2, 2004
    #1
    1. Advertising

  2. Benjamin,

    Not all APIs are supported on all versions/editions.

    referencing the conversation:
    http://groups.google.com/groups?hl=...m=##link1

    You can impersonate your application to run under an account
    which has permissions to access certain resources:
    <identity impersonate="true" username="domain\username"
    password="password" />

    This way when you application attempts to access another resource
    that requires authentication, the username and password specified
    here are used to authenticate for that resource. Storing passwords
    in clear text is a security issue so thats solved here:
    http://support.microsoft.com/?id=329290

    --
    Hope this helps,
    Zeeshan Mustafa, MCSD


    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:%...
    > Hallo NG,
    > ive posted this before on microsoft.public.dotnet.framework.aspnet but

    didnt
    > get a response. im stuck with this for a week now. and i think i used

    every
    > possible resource but didnt get it to work.
    > ===
    > I have problems with calling the CreateProcessWithLogonW() function. I

    tried
    > converting an VB6 example
    > (http://support.microsoft.com/default.aspx?scid=kb;en-us;285879) and some
    > snippets i found around the web. but i cant get it to work. It tries to
    > start the application, but it fails. In my eventlog i can see a new info
    > message, everytime i execute my code. i try to translate it, cause i have

    a
    > german windows installed, so it maybe wont be the exact words of the
    > original english info message.
    >
    > Application popup: some.exe - Error in application: the application

    couldnt
    > be initialized properly (0xc0000142). Click "OK" to exit.
    > event-id: 26
    >
    > I tried launching notepad.exe, cmd.exe, cscript.exe but everytime the same
    > error. What im tryin to achieve is, to execute the vbscript file
    > makew3site.vbs from IIS > AdminScripts.
    >
    > This is my code:
    >
    > Option Strict Off
    > Option Explicit On
    > Imports System.Runtime.InteropServices
    >
    > Public Class WebForm2
    > Inherits System.Web.UI.Page
    >
    > Protected WithEvents lblTest As System.Web.UI.WebControls.Label
    >
    > #Region "Structs"
    > <StructLayout(LayoutKind.Sequential)> _
    > Public Structure PROCESS_INFORMATION
    > Dim hProcess As System.IntPtr
    > Dim hThread As System.IntPtr
    > Dim dwProcessId As Integer
    > Dim dwThreadId As Integer
    > End Structure
    >
    > <StructLayout(LayoutKind.Sequential)> _
    > Public Structure STARTUPINFO
    > Dim cb As Integer
    > Dim lpReserved As System.IntPtr
    > Dim lpDesktop As System.IntPtr
    > Dim lpTitle As System.IntPtr
    > Dim dwX As Integer
    > Dim dwY As Integer
    > Dim dwXSize As Integer
    > Dim dwYSize As Integer
    > Dim dwXCountChars As Integer
    > Dim dwYCountChars As Integer
    > Dim dwFillAttribute As Integer
    > Dim dwFlags As Integer
    > Dim wShowWindow As Short
    > Dim cbReserved2 As Short
    > Dim lpReserved2 As System.IntPtr
    > Dim hStdInput As System.IntPtr
    > Dim hStdOutput As System.IntPtr
    > Dim hStdError As System.IntPtr
    > End Structure
    >
    > #End Region
    >
    > #Region "APIINFO"
    > Private Const LOGON_NETCREDENTIALS_ONLY As Integer = &H2
    > Private Const NORMAL_PRIORITY_CLASS As Integer = &H20
    > Private Const CREATE_DEFAULT_ERROR_MODE As Integer = &H4000000
    > Private Const CREATE_NEW_CONSOLE As Integer = &H10
    > Private Const CREATE_NEW_PROCESS_GROUP As Integer = &H200
    > Private Const LOGON_WITH_PROFILE As Integer = &H1
    >
    > Private Declare Unicode Function CreateProcessWithLogon Lib "Advapi32"
    > Alias "CreateProcessWithLogonW" _
    > (ByVal lpUsername As String, _
    > ByVal lpDomain As String, _
    > ByVal lpPassword As String, _
    > ByVal dwLogonFlags As Integer, _
    > ByVal lpApplicationName As String, _
    > ByVal lpCommandLine As String, _
    > ByVal dwCreationFlags As Integer, _
    > ByVal lpEnvironment As System.IntPtr, _
    > ByVal lpCurrentDirectory As System.IntPtr, _
    > ByRef lpStartupInfo As STARTUPINFO, _
    > ByRef lpProcessInfo As PROCESS_INFORMATION) As Integer
    >
    > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As
    > System.IntPtr) As Integer
    > #End Region
    >
    > #Region " Vom Web Form Designer generierter Code "
    >
    > 'Dieser Aufruf ist für den Web Form-Designer erforderlich.
    > <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > InitializeComponent()
    >
    > End Sub
    >
    > Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Init
    > 'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
    > 'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
    > InitializeComponent()
    > End Sub
    >
    > #End Region
    >
    > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > Dim szApp As String = "C:\winnt\notepad.exe"
    > Dim szCmdLine As String = ""
    > Dim szUser As String = "user"
    > Dim szPass As String = "password"
    > Dim szDomain As String = "TEST"
    > Dim siStartup As STARTUPINFO
    > Dim piProcess As PROCESS_INFORMATION
    >
    > siStartup.cb = Marshal.SizeOf(siStartup)
    > siStartup.dwFlags = 0
    >
    > Dim ret As Integer = CreateProcessWithLogon(szUser, szDomain,
    > szPass, LOGON_WITH_PROFILE, szApp, szCmdLine, _
    > CREATE_DEFAULT_ERROR_MODE, _
    > IntPtr.Zero, IntPtr.Zero, siStartup, piProcess)
    >
    > If ret = 0 Then
    > lblTest.Text = New
    > System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message
    > End If
    >
    > CloseHandle(piProcess.hProcess)
    > CloseHandle(piProcess.hThread)
    > End Sub
    >
    > End Class
    >
    > I tried many combinations for szApp and szCmdLine, like tryin to give

    szApp
    > a reference to the exe, and szCmdLine the arguments, or leaving szApp

    empty
    > and passing everything woth szCmdLine like this:
    >
    > Dim szCmdLine As String = "C:\Winnt\notepad.exe /put params here"
    >
    > Also i tried to pass 0& as an integer in szApp, and szCmdLine like the

    above
    > one.
    > What i want to do is:
    >
    > Dim szApp As String = "C:\Inetpub\AdminScripts\mkw3site.vbs"
    > Dim szCmdLine As String = "-r C:\Inetpub\wwwroot\client -t

    client.test.de -o
    > 8080"
    >
    > Could plz someone help me, im stuck with this for quite some days now, and
    > its drivin me nuts.
    > thx in advance
    > regards benni
    > ====
    > in addition to that, someone found out that this works on a w2k

    workstation,
    > but doesnt on a w2k server. could someone plz help me, or give me another
    > way to contact microsoft directly (i know thats what newsgroups are for,

    but
    > i know that this should work but it doesnt, and i need it really bad)
    >
    > thanx for every response
    > regards benni
    >
    >
    >
     
    M. Zeeshan Mustafa, Jul 2, 2004
    #2
    1. Advertising

  3. Under Win2K, you need the Act As Part of the Operating System privilege to
    call LogonUser or CreateProcessWithLogon. You only have this by default if
    you are the SYSTEM account. This may be part of the problem.

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:%...
    > Hallo NG,
    > ive posted this before on microsoft.public.dotnet.framework.aspnet but

    didnt
    > get a response. im stuck with this for a week now. and i think i used

    every
    > possible resource but didnt get it to work.
    > ===
    > I have problems with calling the CreateProcessWithLogonW() function. I

    tried
    > converting an VB6 example
    > (http://support.microsoft.com/default.aspx?scid=kb;en-us;285879) and some
    > snippets i found around the web. but i cant get it to work. It tries to
    > start the application, but it fails. In my eventlog i can see a new info
    > message, everytime i execute my code. i try to translate it, cause i have

    a
    > german windows installed, so it maybe wont be the exact words of the
    > original english info message.
    >
    > Application popup: some.exe - Error in application: the application

    couldnt
    > be initialized properly (0xc0000142). Click "OK" to exit.
    > event-id: 26
    >
    > I tried launching notepad.exe, cmd.exe, cscript.exe but everytime the same
    > error. What im tryin to achieve is, to execute the vbscript file
    > makew3site.vbs from IIS > AdminScripts.
    >
    > This is my code:
    >
    > Option Strict Off
    > Option Explicit On
    > Imports System.Runtime.InteropServices
    >
    > Public Class WebForm2
    > Inherits System.Web.UI.Page
    >
    > Protected WithEvents lblTest As System.Web.UI.WebControls.Label
    >
    > #Region "Structs"
    > <StructLayout(LayoutKind.Sequential)> _
    > Public Structure PROCESS_INFORMATION
    > Dim hProcess As System.IntPtr
    > Dim hThread As System.IntPtr
    > Dim dwProcessId As Integer
    > Dim dwThreadId As Integer
    > End Structure
    >
    > <StructLayout(LayoutKind.Sequential)> _
    > Public Structure STARTUPINFO
    > Dim cb As Integer
    > Dim lpReserved As System.IntPtr
    > Dim lpDesktop As System.IntPtr
    > Dim lpTitle As System.IntPtr
    > Dim dwX As Integer
    > Dim dwY As Integer
    > Dim dwXSize As Integer
    > Dim dwYSize As Integer
    > Dim dwXCountChars As Integer
    > Dim dwYCountChars As Integer
    > Dim dwFillAttribute As Integer
    > Dim dwFlags As Integer
    > Dim wShowWindow As Short
    > Dim cbReserved2 As Short
    > Dim lpReserved2 As System.IntPtr
    > Dim hStdInput As System.IntPtr
    > Dim hStdOutput As System.IntPtr
    > Dim hStdError As System.IntPtr
    > End Structure
    >
    > #End Region
    >
    > #Region "APIINFO"
    > Private Const LOGON_NETCREDENTIALS_ONLY As Integer = &H2
    > Private Const NORMAL_PRIORITY_CLASS As Integer = &H20
    > Private Const CREATE_DEFAULT_ERROR_MODE As Integer = &H4000000
    > Private Const CREATE_NEW_CONSOLE As Integer = &H10
    > Private Const CREATE_NEW_PROCESS_GROUP As Integer = &H200
    > Private Const LOGON_WITH_PROFILE As Integer = &H1
    >
    > Private Declare Unicode Function CreateProcessWithLogon Lib "Advapi32"
    > Alias "CreateProcessWithLogonW" _
    > (ByVal lpUsername As String, _
    > ByVal lpDomain As String, _
    > ByVal lpPassword As String, _
    > ByVal dwLogonFlags As Integer, _
    > ByVal lpApplicationName As String, _
    > ByVal lpCommandLine As String, _
    > ByVal dwCreationFlags As Integer, _
    > ByVal lpEnvironment As System.IntPtr, _
    > ByVal lpCurrentDirectory As System.IntPtr, _
    > ByRef lpStartupInfo As STARTUPINFO, _
    > ByRef lpProcessInfo As PROCESS_INFORMATION) As Integer
    >
    > Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As
    > System.IntPtr) As Integer
    > #End Region
    >
    > #Region " Vom Web Form Designer generierter Code "
    >
    > 'Dieser Aufruf ist für den Web Form-Designer erforderlich.
    > <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > InitializeComponent()
    >
    > End Sub
    >
    > Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Init
    > 'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
    > 'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
    > InitializeComponent()
    > End Sub
    >
    > #End Region
    >
    > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > Dim szApp As String = "C:\winnt\notepad.exe"
    > Dim szCmdLine As String = ""
    > Dim szUser As String = "user"
    > Dim szPass As String = "password"
    > Dim szDomain As String = "TEST"
    > Dim siStartup As STARTUPINFO
    > Dim piProcess As PROCESS_INFORMATION
    >
    > siStartup.cb = Marshal.SizeOf(siStartup)
    > siStartup.dwFlags = 0
    >
    > Dim ret As Integer = CreateProcessWithLogon(szUser, szDomain,
    > szPass, LOGON_WITH_PROFILE, szApp, szCmdLine, _
    > CREATE_DEFAULT_ERROR_MODE, _
    > IntPtr.Zero, IntPtr.Zero, siStartup, piProcess)
    >
    > If ret = 0 Then
    > lblTest.Text = New
    > System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message
    > End If
    >
    > CloseHandle(piProcess.hProcess)
    > CloseHandle(piProcess.hThread)
    > End Sub
    >
    > End Class
    >
    > I tried many combinations for szApp and szCmdLine, like tryin to give

    szApp
    > a reference to the exe, and szCmdLine the arguments, or leaving szApp

    empty
    > and passing everything woth szCmdLine like this:
    >
    > Dim szCmdLine As String = "C:\Winnt\notepad.exe /put params here"
    >
    > Also i tried to pass 0& as an integer in szApp, and szCmdLine like the

    above
    > one.
    > What i want to do is:
    >
    > Dim szApp As String = "C:\Inetpub\AdminScripts\mkw3site.vbs"
    > Dim szCmdLine As String = "-r C:\Inetpub\wwwroot\client -t

    client.test.de -o
    > 8080"
    >
    > Could plz someone help me, im stuck with this for quite some days now, and
    > its drivin me nuts.
    > thx in advance
    > regards benni
    > ====
    > in addition to that, someone found out that this works on a w2k

    workstation,
    > but doesnt on a w2k server. could someone plz help me, or give me another
    > way to contact microsoft directly (i know thats what newsgroups are for,

    but
    > i know that this should work but it doesnt, and i need it really bad)
    >
    > thanx for every response
    > regards benni
    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 2, 2004
    #3
  4. Hallo Joe and Zeeshan
    "Joe Kaplan (MVP - ADSI)" <> schrieb
    im Newsbeitrag news:...
    > Under Win2K, you need the Act As Part of the Operating System privilege to
    > call LogonUser or CreateProcessWithLogon. You only have this by default

    if
    > you are the SYSTEM account. This may be part of the problem.
    >
    > Joe K.
    >

    I think i tried everything. Im impersonating already. But starting a process
    from an asp.net app, starts the process in the user context of the parent
    process, which is the asp.net worker process, so impersonating wont help.
    The Adminstrator account im tryin to start my process in has the rights act
    as part of the os, increase quotas, replace a process level token. Ive found
    a comment in a script that calls CreateProcessWithLogonW:

    ' WARNING:
    ' Do not use "." (local computer) for RUNAS_DOMAIN. I got some errors when I
    ' used this class with "." on ASP.NET Aplications (0xc0000142)
    ' Instead, use the computer name or the domain associated with the user.
    ' CreateProcessAsUser() requires that the caller has the following
    permissions
    ' Permission Display Name
    ' ---------------------------------------------------------------
    ' SE_ASSIGNPRIMARYTOKEN_NAME Replace a process level token
    ' SE_INCREASE_QUOTA_NAME Increase quotas

    0xc0000142 is the exact error im getting. But i dont call the function with
    "." for local, i call it with "TEST", which is the computers name. Ive
    searched google a lot for that error code, but theres just too much that can
    cause this error. I found a possible solution that said that you have to do
    "sfc /scannow" at cmd prompt to scan all protected system files. So i did
    this, but the error stays. But by doing this, i found out something else,
    that might be interesting for my problem. I couldnt do "/sfc /scannow", if i
    was logged in on this server with the terminal service client (i dont
    exactly know wether it is called this way in the us version, i just tried to
    translate it), although i was logged in as Administrator. But sitting in
    front of the machine, executing this command was no problem. Maybe there are
    some restriction on rights with external connections, but i didnt find
    something.

    Regars Benni
     
    Benjamin Bittner, Jul 5, 2004
    #4
  5. Hi Benni,

    Just to confirm that I understand what you are doing, you are calling
    CreateProcessWithLogonW from an ASP.NET application on Win2K with the
    current impersonated thread identity being a highly privileged admin account
    and the process identity being the standard ASPNET worker process account,
    right?

    I'm not sure what the error you are getting is (VS2003 error lookup didn't
    seem to find it), but I was wondering if you can try calling the LogonUser
    API with the credentials you have first to create a logon token? Then from
    there, perhaps you could try calling CreateProcessWithTokenW? That way, you
    can determine if you can get the logon part working and can create the token
    you need.

    HTH,

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:%...
    > Hallo Joe and Zeeshan
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > Under Win2K, you need the Act As Part of the Operating System privilege

    to
    > > call LogonUser or CreateProcessWithLogon. You only have this by default

    > if
    > > you are the SYSTEM account. This may be part of the problem.
    > >
    > > Joe K.
    > >

    > I think i tried everything. Im impersonating already. But starting a

    process
    > from an asp.net app, starts the process in the user context of the parent
    > process, which is the asp.net worker process, so impersonating wont help.
    > The Adminstrator account im tryin to start my process in has the rights

    act
    > as part of the os, increase quotas, replace a process level token. Ive

    found
    > a comment in a script that calls CreateProcessWithLogonW:
    >
    > ' WARNING:
    > ' Do not use "." (local computer) for RUNAS_DOMAIN. I got some errors when

    I
    > ' used this class with "." on ASP.NET Aplications (0xc0000142)
    > ' Instead, use the computer name or the domain associated with the user.
    > ' CreateProcessAsUser() requires that the caller has the following
    > permissions
    > ' Permission Display Name
    > ' ---------------------------------------------------------------
    > ' SE_ASSIGNPRIMARYTOKEN_NAME Replace a process level token
    > ' SE_INCREASE_QUOTA_NAME Increase quotas
    >
    > 0xc0000142 is the exact error im getting. But i dont call the function

    with
    > "." for local, i call it with "TEST", which is the computers name. Ive
    > searched google a lot for that error code, but theres just too much that

    can
    > cause this error. I found a possible solution that said that you have to

    do
    > "sfc /scannow" at cmd prompt to scan all protected system files. So i did
    > this, but the error stays. But by doing this, i found out something else,
    > that might be interesting for my problem. I couldnt do "/sfc /scannow", if

    i
    > was logged in on this server with the terminal service client (i dont
    > exactly know wether it is called this way in the us version, i just tried

    to
    > translate it), although i was logged in as Administrator. But sitting in
    > front of the machine, executing this command was no problem. Maybe there

    are
    > some restriction on rights with external connections, but i didnt find
    > something.
    >
    > Regars Benni
    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 5, 2004
    #5
  6. Hallo Joe
    "Joe Kaplan (MVP - ADSI)" <> schrieb
    im Newsbeitrag news:...
    > Hi Benni,
    >
    > Just to confirm that I understand what you are doing, you are calling
    > CreateProcessWithLogonW from an ASP.NET application on Win2K with the
    > current impersonated thread identity being a highly privileged admin

    account
    > and the process identity being the standard ASPNET worker process account,
    > right?


    Exactly.

    > I'm not sure what the error you are getting is (VS2003 error lookup didn't
    > seem to find it), but I was wondering if you can try calling the LogonUser
    > API with the credentials you have first to create a logon token? Then

    from
    > there, perhaps you could try calling CreateProcessWithTokenW? That way,

    you
    > can determine if you can get the logon part working and can create the

    token
    > you need.
    >


    Okay I tried that with this code:
    =============Code===============
    Option Strict Off
    Option Explicit On
    Imports System.Runtime.InteropServices

    Public Class WebForm4
    Inherits System.Web.UI.Page

    Protected WithEvents lblTest As System.Web.UI.WebControls.Label

    Public Enum eWindowsDefinesParamsLogonType
    LOGON32_LOGON_INTERACTIVE = 2
    LOGON32_LOGON_NETWORK = 3
    LOGON32_LOGON_BATCH = 4
    LOGON32_LOGON_SERVICE = 5
    LOGON32_LOGON_UNLOCK = 7
    '#if(_WIN32_WINNT >= 0x0500)
    LOGON32_LOGON_NETWORK_CLEARTEXT = 8
    LOGON32_LOGON_NEW_CREDENTIALS = 9
    '#endif // (_WIN32_WINNT >= 0x0500)
    End Enum

    Public Enum eWindowsDefinesParamsLogonProvider
    LOGON32_PROVIDER_DEFAULT = 0
    LOGON32_PROVIDER_WINNT35 = 1
    '#if(_WIN32_WINNT >= 0x0400)
    LOGON32_PROVIDER_WINNT40 = 2
    '#endif /* _WIN32_WINNT >= 0x0400 */
    '#if(_WIN32_WINNT >= 0x0500)
    LOGON32_PROVIDER_WINNT50 = 3
    '#endif // (_WIN32_WINNT >= 0x0500)
    End Enum

    <DllImport("advapi32.dll", SetLastError:=True)> _
    Public Shared Function LogonUser( _
    ByVal lpszUsername As String, _
    ByVal lpszDomain As String, _
    ByVal lpszPassword As String, _
    ByVal dwLogonType As Integer, _
    ByVal dwLogonProvider As Integer, _
    ByRef phToken As IntPtr) As Boolean
    End Function

    <DllImport("kernel32.dll",
    CharSet:=System.Runtime.InteropServices.CharSet.Auto, SetLastError:=True)> _
    Public Function CloseHandle(ByVal handle As IntPtr) As Boolean
    End Function

    Private Const VER_PLATFORM_WIN32_NT = &H2

    #Region " Vom Web Form Designer generierter Code "

    'Dieser Aufruf ist für den Web Form-Designer erforderlich.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

    End Sub

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
    'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
    'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
    InitializeComponent()
    End Sub

    #End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    Dim tokenHandle As IntPtr = IntPtr.Zero
    Dim result As Boolean = LogonUser("Administrator", "TEST",
    "huhukolo72#", eWindowsDefinesParamsLogonType.LOGON32_LOGON_INTERACTIVE,
    eWindowsDefinesParamsLogonProvider.LOGON32_PROVIDER_DEFAULT, tokenHandle)
    If result Then
    'logged in
    Else
    lblTest.Text = Marshal.GetLastWin32Error().ToString
    End If
    End Sub

    End Class
    =============/Code===============

    I get the error code 1314 without any text. Just 1314. Ill try to find out
    what that means.

    Regards Benni
     
    Benjamin Bittner, Jul 6, 2004
    #6
  7. That means "A required privilege is not held by the client". You can
    determine this easily by calling Marshal.GetLastWin32Error and passing the
    resulting code to the constructor on the
    System.ComponentModel.Win32Exception class.

    Basically what this means is that the code calling LogonUser doesn't have
    the "Act as part of the operating system" privilege that you need under
    Win2K. You might to review your settings for the account that is calling
    this code.

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:...
    > Hallo Joe
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > Hi Benni,
    > >
    > > Just to confirm that I understand what you are doing, you are calling
    > > CreateProcessWithLogonW from an ASP.NET application on Win2K with the
    > > current impersonated thread identity being a highly privileged admin

    > account
    > > and the process identity being the standard ASPNET worker process

    account,
    > > right?

    >
    > Exactly.
    >
    > > I'm not sure what the error you are getting is (VS2003 error lookup

    didn't
    > > seem to find it), but I was wondering if you can try calling the

    LogonUser
    > > API with the credentials you have first to create a logon token? Then

    > from
    > > there, perhaps you could try calling CreateProcessWithTokenW? That way,

    > you
    > > can determine if you can get the logon part working and can create the

    > token
    > > you need.
    > >

    >
    > Okay I tried that with this code:
    > =============Code===============
    > Option Strict Off
    > Option Explicit On
    > Imports System.Runtime.InteropServices
    >
    > Public Class WebForm4
    > Inherits System.Web.UI.Page
    >
    > Protected WithEvents lblTest As System.Web.UI.WebControls.Label
    >
    > Public Enum eWindowsDefinesParamsLogonType
    > LOGON32_LOGON_INTERACTIVE = 2
    > LOGON32_LOGON_NETWORK = 3
    > LOGON32_LOGON_BATCH = 4
    > LOGON32_LOGON_SERVICE = 5
    > LOGON32_LOGON_UNLOCK = 7
    > '#if(_WIN32_WINNT >= 0x0500)
    > LOGON32_LOGON_NETWORK_CLEARTEXT = 8
    > LOGON32_LOGON_NEW_CREDENTIALS = 9
    > '#endif // (_WIN32_WINNT >= 0x0500)
    > End Enum
    >
    > Public Enum eWindowsDefinesParamsLogonProvider
    > LOGON32_PROVIDER_DEFAULT = 0
    > LOGON32_PROVIDER_WINNT35 = 1
    > '#if(_WIN32_WINNT >= 0x0400)
    > LOGON32_PROVIDER_WINNT40 = 2
    > '#endif /* _WIN32_WINNT >= 0x0400 */
    > '#if(_WIN32_WINNT >= 0x0500)
    > LOGON32_PROVIDER_WINNT50 = 3
    > '#endif // (_WIN32_WINNT >= 0x0500)
    > End Enum
    >
    > <DllImport("advapi32.dll", SetLastError:=True)> _
    > Public Shared Function LogonUser( _
    > ByVal lpszUsername As String, _
    > ByVal lpszDomain As String, _
    > ByVal lpszPassword As String, _
    > ByVal dwLogonType As Integer, _
    > ByVal dwLogonProvider As Integer, _
    > ByRef phToken As IntPtr) As Boolean
    > End Function
    >
    > <DllImport("kernel32.dll",
    > CharSet:=System.Runtime.InteropServices.CharSet.Auto, SetLastError:=True)>

    _
    > Public Function CloseHandle(ByVal handle As IntPtr) As Boolean
    > End Function
    >
    > Private Const VER_PLATFORM_WIN32_NT = &H2
    >
    > #Region " Vom Web Form Designer generierter Code "
    >
    > 'Dieser Aufruf ist für den Web Form-Designer erforderlich.
    > <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > InitializeComponent()
    >
    > End Sub
    >
    > Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Init
    > 'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
    > 'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
    > InitializeComponent()
    > End Sub
    >
    > #End Region
    >
    > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > Dim tokenHandle As IntPtr = IntPtr.Zero
    > Dim result As Boolean = LogonUser("Administrator", "TEST",
    > "huhukolo72#", eWindowsDefinesParamsLogonType.LOGON32_LOGON_INTERACTIVE,
    > eWindowsDefinesParamsLogonProvider.LOGON32_PROVIDER_DEFAULT, tokenHandle)
    > If result Then
    > 'logged in
    > Else
    > lblTest.Text = Marshal.GetLastWin32Error().ToString
    > End If
    > End Sub
    >
    > End Class
    > =============/Code===============
    >
    > I get the error code 1314 without any text. Just 1314. Ill try to find out
    > what that means.
    >
    > Regards Benni
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 6, 2004
    #7
  8. Hallo Joe
    "Joe Kaplan (MVP - ADSI)" <> schrieb
    im Newsbeitrag news:...
    > That means "A required privilege is not held by the client". You can
    > determine this easily by calling Marshal.GetLastWin32Error and passing the
    > resulting code to the constructor on the
    > System.ComponentModel.Win32Exception class.
    >
    > Basically what this means is that the code calling LogonUser doesn't have
    > the "Act as part of the operating system" privilege that you need under
    > Win2K. You might to review your settings for the account that is calling
    > this code.
    >
    > Joe K.
    >

    I get the current user with WindowsIdentity.GetCurrent().Name. Current user
    is TEST/Administrator, which has the "Act as part of the operating system"
    privilege. With this im impersonating:
    <identity impersonate="true" userName="TEST\Administrator"
    password="myPassword"/>
    Are there some other rights, that the account must have?

    regards benni
     
    Benjamin Bittner, Jul 7, 2004
    #8
  9. Hi Benjamin,

    According to the docs for LogonUser, you may also need
    SE_CHANGE_NOTIFY_NAME, but you probably already have that. I don't know
    what else to tell you. If you have SE_TCB_NAME, it should work (or at least
    give you a different error).

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:eZ%23IEK$...
    > Hallo Joe
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > That means "A required privilege is not held by the client". You can
    > > determine this easily by calling Marshal.GetLastWin32Error and passing

    the
    > > resulting code to the constructor on the
    > > System.ComponentModel.Win32Exception class.
    > >
    > > Basically what this means is that the code calling LogonUser doesn't

    have
    > > the "Act as part of the operating system" privilege that you need under
    > > Win2K. You might to review your settings for the account that is

    calling
    > > this code.
    > >
    > > Joe K.
    > >

    > I get the current user with WindowsIdentity.GetCurrent().Name. Current

    user
    > is TEST/Administrator, which has the "Act as part of the operating system"
    > privilege. With this im impersonating:
    > <identity impersonate="true" userName="TEST\Administrator"
    > password="myPassword"/>
    > Are there some other rights, that the account must have?
    >
    > regards benni
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 7, 2004
    #9
  10. Hallo Joe
    "Joe Kaplan (MVP - ADSI)" <> schrieb
    im Newsbeitrag news:...
    > Hi Benjamin,
    >
    > According to the docs for LogonUser, you may also need
    > SE_CHANGE_NOTIFY_NAME, but you probably already have that. I don't know
    > what else to tell you. If you have SE_TCB_NAME, it should work (or at

    least
    > give you a different error).
    >
    > Joe K.
    >

    First of all, thanks for your time, wether it worked or not.

    So i've triple checked every right, for testing i gave se_tcb_name to
    everyone. But still no changes.
    Do you know another forum or email i could get in contact with microsoft or
    something else i could do to find out why this isnt working?

    regards Benni
     
    Benjamin Bittner, Jul 7, 2004
    #10
  11. You can always go through Microsoft Product Support Services to do a formal
    inquiry. Depending on the support arrangements with your organization, this
    may or may not cost you money.

    Other things you could do would be to inspect the current token you have to
    see if it actually contains the required privilege. You could write your
    own p/invoke to GetTokenInformation or try out something like the the Win32
    security wrapper at GotDotNet.
    http://www.gotdotnet.com/Community/...mpleGuid=e6098575-dda0-48b8-9abf-e0705af065d9

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:%...
    > Hallo Joe
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > Hi Benjamin,
    > >
    > > According to the docs for LogonUser, you may also need
    > > SE_CHANGE_NOTIFY_NAME, but you probably already have that. I don't know
    > > what else to tell you. If you have SE_TCB_NAME, it should work (or at

    > least
    > > give you a different error).
    > >
    > > Joe K.
    > >

    > First of all, thanks for your time, wether it worked or not.
    >
    > So i've triple checked every right, for testing i gave se_tcb_name to
    > everyone. But still no changes.
    > Do you know another forum or email i could get in contact with microsoft

    or
    > something else i could do to find out why this isnt working?
    >
    > regards Benni
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 7, 2004
    #11
  12. Hallo Joe
    "Joe Kaplan (MVP - ADSI)" <> schrieb
    im Newsbeitrag news:...
    > You can always go through Microsoft Product Support Services to do a

    formal
    > inquiry. Depending on the support arrangements with your organization,

    this
    > may or may not cost you money.
    >
    > Other things you could do would be to inspect the current token you have

    to
    > see if it actually contains the required privilege. You could write your
    > own p/invoke to GetTokenInformation or try out something like the the

    Win32
    > security wrapper at GotDotNet.
    >

    http://www.gotdotnet.com/Community/...mpleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
    >
    > Joe K.
    >

    Ive donwloaded the classes, but i dont know how to use them. If you know how
    to use them and would give me a hint, that would be great.

    thx in advance
    regards benni
     
    Benjamin Bittner, Jul 8, 2004
    #12
  13. I haven't really spent much time messing with them, so I can't give you many
    pointers. They have an abstract AccessToken with a Privileges property that
    will give you the information you want. I think the intent is for you to
    call the static AccessTokenThread method on the AccessTokenThread class.

    Hopefully that will help get you started. I believe Data Marvel has an API
    that you can use for this as well.

    GL!

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:...
    > Hallo Joe
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > You can always go through Microsoft Product Support Services to do a

    > formal
    > > inquiry. Depending on the support arrangements with your organization,

    > this
    > > may or may not cost you money.
    > >
    > > Other things you could do would be to inspect the current token you have

    > to
    > > see if it actually contains the required privilege. You could write

    your
    > > own p/invoke to GetTokenInformation or try out something like the the

    > Win32
    > > security wrapper at GotDotNet.
    > >

    >

    http://www.gotdotnet.com/Community/...mpleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
    > >
    > > Joe K.
    > >

    > Ive donwloaded the classes, but i dont know how to use them. If you know

    how
    > to use them and would give me a hint, that would be great.
    >
    > thx in advance
    > regards benni
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 8, 2004
    #13
  14. Try using RUNAS shell command:

    RUNAS USAGE:

    RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

    /profile if the user's profile needs to be loaded
    /env to use current environment instead of user's.
    /netonly use if the credentials specified are for remote access
    only.
    /user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
    program command line for EXE. See below for examples

    Examples:
    > runas /profile /user:mymachine\administrator cmd
    > runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
    > runas /env /user: "notepad \"my file.txt\""


    NOTE: Enter user's password only when prompted.
    NOTE: USER@DOMAIN is not compatible with /netonly.

    --
    Hope this helps,
    Zeeshan Mustafa, MCSD


    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:%...
    > Hallo Joe and Zeeshan
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > Under Win2K, you need the Act As Part of the Operating System privilege

    to
    > > call LogonUser or CreateProcessWithLogon. You only have this by default

    > if
    > > you are the SYSTEM account. This may be part of the problem.
    > >
    > > Joe K.
    > >

    > I think i tried everything. Im impersonating already. But starting a

    process
    > from an asp.net app, starts the process in the user context of the parent
    > process, which is the asp.net worker process, so impersonating wont help.
    > The Adminstrator account im tryin to start my process in has the rights

    act
    > as part of the os, increase quotas, replace a process level token. Ive

    found
    > a comment in a script that calls CreateProcessWithLogonW:
    >
    > ' WARNING:
    > ' Do not use "." (local computer) for RUNAS_DOMAIN. I got some errors when

    I
    > ' used this class with "." on ASP.NET Aplications (0xc0000142)
    > ' Instead, use the computer name or the domain associated with the user.
    > ' CreateProcessAsUser() requires that the caller has the following
    > permissions
    > ' Permission Display Name
    > ' ---------------------------------------------------------------
    > ' SE_ASSIGNPRIMARYTOKEN_NAME Replace a process level token
    > ' SE_INCREASE_QUOTA_NAME Increase quotas
    >
    > 0xc0000142 is the exact error im getting. But i dont call the function

    with
    > "." for local, i call it with "TEST", which is the computers name. Ive
    > searched google a lot for that error code, but theres just too much that

    can
    > cause this error. I found a possible solution that said that you have to

    do
    > "sfc /scannow" at cmd prompt to scan all protected system files. So i did
    > this, but the error stays. But by doing this, i found out something else,
    > that might be interesting for my problem. I couldnt do "/sfc /scannow", if

    i
    > was logged in on this server with the terminal service client (i dont
    > exactly know wether it is called this way in the us version, i just tried

    to
    > translate it), although i was logged in as Administrator. But sitting in
    > front of the machine, executing this command was no problem. Maybe there

    are
    > some restriction on rights with external connections, but i didnt find
    > something.
    >
    > Regars Benni
    >
    >
    >
     
    M. Zeeshan Mustafa, Jul 12, 2004
    #14
  15. Hallo Zeeshan
    "M. Zeeshan Mustafa" <> schrieb im
    Newsbeitrag news:...
    > Try using RUNAS shell command:
    >
    > RUNAS USAGE:
    >
    > RUNAS [/profile] [/env] [/netonly] /user:<UserName> program
    >
    > /profile if the user's profile needs to be loaded
    > /env to use current environment instead of user's.
    > /netonly use if the credentials specified are for remote access
    > only.
    > /user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
    > program command line for EXE. See below for examples
    >
    > Examples:
    > > runas /profile /user:mymachine\administrator cmd
    > > runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
    > > runas /env /user: "notepad \"my file.txt\""

    >
    > NOTE: Enter user's password only when prompted.
    > NOTE: USER@DOMAIN is not compatible with /netonly.
    >
    > --
    > Hope this helps,
    > Zeeshan Mustafa, MCSD
    >
    >

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    Dim psCscript As Process = New Process()
    With psCscript
    .StartInfo.FileName = "cmd.exe /C runas /user:TEST\Administrator
    ""cmd.exe /C C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"""
    .StartInfo.Arguments = ""
    End With
    psCscript.Start()
    psCscript.WaitForExit()
    lblTest.Text = "Prozess beendet um: " & psCscript.ExitTime & "<br>"
    & _
    "Exit Code: " & psCscript.ExitCode
    psCscript.Close()

    lblTest.Text &= "<br> File Name: " & psCscript.StartInfo.FileName
    lblTest.Text &= "<br> Arguments: " & psCscript.StartInfo.Arguments
    End Sub

    But i dont know how to react on the password prompt.
    I executed this:
    runas /user:TEST\Administrator "cmd.exe /C
    C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"
    and it prompted for the password. Then i entered the password, and the vb
    script gets executed correctly. So is there a way to react on the password
    prompt?

    regards Benni
     
    Benjamin Bittner, Jul 13, 2004
    #15
  16. You will need to redirect the input and output streams of the Process class
    so that you can send and receive text using them. This might work better if
    you call runas directly instead of calling it from a VBScript, but either
    might work.

    To redirect the streams, you need to set UseShellExecute to False and set
    RedirectStandardInput and RedirectStandardOutput to true. Then, you read
    and write to the streams on the Process instance.

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:...
    > Hallo Zeeshan
    > "M. Zeeshan Mustafa" <> schrieb im
    > Newsbeitrag news:...
    > > Try using RUNAS shell command:
    > >
    > > RUNAS USAGE:
    > >
    > > RUNAS [/profile] [/env] [/netonly] /user:<UserName> program
    > >
    > > /profile if the user's profile needs to be loaded
    > > /env to use current environment instead of user's.
    > > /netonly use if the credentials specified are for remote

    access
    > > only.
    > > /user <UserName> should be in form USER@DOMAIN or

    DOMAIN\USER
    > > program command line for EXE. See below for examples
    > >
    > > Examples:
    > > > runas /profile /user:mymachine\administrator cmd
    > > > runas /profile /env /user:mydomain\admin "mmc

    %windir%\system32\dsa.msc"
    > > > runas /env /user: "notepad \"my file.txt\""

    > >
    > > NOTE: Enter user's password only when prompted.
    > > NOTE: USER@DOMAIN is not compatible with /netonly.
    > >
    > > --
    > > Hope this helps,
    > > Zeeshan Mustafa, MCSD
    > >
    > >

    > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > Dim psCscript As Process = New Process()
    > With psCscript
    > .StartInfo.FileName = "cmd.exe /C runas

    /user:TEST\Administrator
    > ""cmd.exe /C C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    > C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"""
    > .StartInfo.Arguments = ""
    > End With
    > psCscript.Start()
    > psCscript.WaitForExit()
    > lblTest.Text = "Prozess beendet um: " & psCscript.ExitTime &

    "<br>"
    > & _
    > "Exit Code: " & psCscript.ExitCode
    > psCscript.Close()
    >
    > lblTest.Text &= "<br> File Name: " & psCscript.StartInfo.FileName
    > lblTest.Text &= "<br> Arguments: " & psCscript.StartInfo.Arguments
    > End Sub
    >
    > But i dont know how to react on the password prompt.
    > I executed this:
    > runas /user:TEST\Administrator "cmd.exe /C
    > C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    > C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"
    > and it prompted for the password. Then i entered the password, and the vb
    > script gets executed correctly. So is there a way to react on the password
    > prompt?
    >
    > regards Benni
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 13, 2004
    #16
  17. Hallo Joe,
    "Joe Kaplan (MVP - ADSI)" <> schrieb
    im Newsbeitrag news:...
    > You will need to redirect the input and output streams of the Process

    class
    > so that you can send and receive text using them. This might work better

    if
    > you call runas directly instead of calling it from a VBScript, but either
    > might work.
    >
    > To redirect the streams, you need to set UseShellExecute to False and set
    > RedirectStandardInput and RedirectStandardOutput to true. Then, you read
    > and write to the streams on the Process instance.
    >
    > Joe K.
    >


    Okay this is what i got so far:

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Load
    Dim psCscript As Process = New Process()
    With psCscript
    .StartInfo.RedirectStandardInput = True
    .StartInfo.RedirectStandardOutput = True
    .StartInfo.UseShellExecute = False
    .StartInfo.FileName = "cmd"
    .StartInfo.Arguments = " /C runas /user:TEST\Administrator ""cmd.exe
    /C C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"""
    End With
    psCscript.Start()
    Dim myStreamWriter As StreamWriter = psCscript.StandardInput
    myStreamWriter.WriteLine("myPassword")
    myStreamWriter.Close()
    psCscript.WaitForExit()
    lblTest.Text = "Process ended: " & psCscript.ExitTime & "<br>" & _
    "Exit Code: " & psCscript.ExitCode
    lblTest.Text &= "<br> File Name: " & psCscript.StartInfo.FileName
    lblTest.Text &= "<br> Arguments: " & psCscript.StartInfo.Arguments
    psCscript.Close()
    End Sub

    The result page displays:

    Process ended: 15.07.2004 09:42:12
    Exit Code: 0
    File Name: cmd
    Arguments: /C runas /user:TEST\Administrator "cmd.exe /C
    C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"

    But nothing happens. If i use this line:

    cmd /C runas /user:TEST\Administrator "cmd.exe /C
    C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"

    with Start > Execute on the TEST machine, it works.
    So i know there isnt much to track down the error, but maybe someone has an
    idea how it could be tracked down.

    regards benni
     
    Benjamin Bittner, Jul 15, 2004
    #17
  18. I have no idea why that isn't working. I'd suggest trying it from a console
    application where you can set it to create a window and add some
    thread.sleep statements to see if you can actually see what's going on.
    Maybe it will be obvious.

    You might also try calling runas directly instead of calling it through cmd.

    Joe K.

    "Benjamin Bittner" <benjamin_bittner[a_t]nospam.web.de> wrote in message
    news:...
    > Hallo Joe,
    > "Joe Kaplan (MVP - ADSI)" <>

    schrieb
    > im Newsbeitrag news:...
    > > You will need to redirect the input and output streams of the Process

    > class
    > > so that you can send and receive text using them. This might work

    better
    > if
    > > you call runas directly instead of calling it from a VBScript, but

    either
    > > might work.
    > >
    > > To redirect the streams, you need to set UseShellExecute to False and

    set
    > > RedirectStandardInput and RedirectStandardOutput to true. Then, you

    read
    > > and write to the streams on the Process instance.
    > >
    > > Joe K.
    > >

    >
    > Okay this is what i got so far:
    >
    > Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Load
    > Dim psCscript As Process = New Process()
    > With psCscript
    > .StartInfo.RedirectStandardInput = True
    > .StartInfo.RedirectStandardOutput = True
    > .StartInfo.UseShellExecute = False
    > .StartInfo.FileName = "cmd"
    > .StartInfo.Arguments = " /C runas /user:TEST\Administrator

    ""cmd.exe
    > /C C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    > C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"""
    > End With
    > psCscript.Start()
    > Dim myStreamWriter As StreamWriter = psCscript.StandardInput
    > myStreamWriter.WriteLine("myPassword")
    > myStreamWriter.Close()
    > psCscript.WaitForExit()
    > lblTest.Text = "Process ended: " & psCscript.ExitTime & "<br>" & _
    > "Exit Code: " & psCscript.ExitCode
    > lblTest.Text &= "<br> File Name: " & psCscript.StartInfo.FileName
    > lblTest.Text &= "<br> Arguments: " & psCscript.StartInfo.Arguments
    > psCscript.Close()
    > End Sub
    >
    > The result page displays:
    >
    > Process ended: 15.07.2004 09:42:12
    > Exit Code: 0
    > File Name: cmd
    > Arguments: /C runas /user:TEST\Administrator "cmd.exe /C
    > C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    > C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"
    >
    > But nothing happens. If i use this line:
    >
    > cmd /C runas /user:TEST\Administrator "cmd.exe /C
    > C:\test_webs\tmpl.loopline.de\docs\mkw3site.vbs -r
    > C:\test_webs\tmpl.test.de -t xyzclient.test.de -o 8080"
    >
    > with Start > Execute on the TEST machine, it works.
    > So i know there isnt much to track down the error, but maybe someone has

    an
    > idea how it could be tracked down.
    >
    > regards benni
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jul 15, 2004
    #18
  19. Benjamin Bittner

    Alstersjo Guest

    Back to Original question

    Hi Benjamin.
    I solved this problem in a totally different way. I used WMI to create the process. I don't know if it will do it for you but here is my code anyway.
    I wish you good luck in your quest for a soloution.

    Don't forget to:
    <code>
    Imports System.Management
    fnStartProcess()
    ' Create Connections options
    Dim options As New ConnectionOptions()
    Dim servername as String = "ServerName"
    options.Username = "RD\" & Session("User")
    options.Password = Session("Passw")
    'Create a scope to work in
    Dim WmiScope As New ManagementScope("\\" & Servernamn & "\root\cimv2", options)
    WmiScope.Connect()

    'Put user code to initialize the page here
    'Get the object on which the method will be invoked
    Dim processClass As New ManagementClass("Win32_Process")
    processClass.Scope = WmiScope


    'Get an input parameters object for this method
    Dim inParams As ManagementBaseObject = processClass.GetMethodParameters("Create")

    'Fill in input parameter values
    inParams("CommandLine") = "calc.exe"' Or whatever application you want

    'Execute the method
    Dim outParams As ManagementBaseObject = processClass.InvokeMethod("Create", inParams, Nothing)

    'Display results
    'Note: The return code of the method is provided in the "returnValue" property of the outParams object
    Response.Write(("Creation of calculator process returned: " & outParams("returnValue").ToString))
    Response.Write(("Process ID: " & outParams("processId").ToString))
    end function
    </code>
     
    Alstersjo, Jul 16, 2004
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthew Wieder

    ASPNET and CreateProcessWithLogonW

    Matthew Wieder, Aug 18, 2003, in forum: ASP .Net
    Replies:
    5
    Views:
    2,487
    Matthew Wieder
    Aug 20, 2003
  2. Benjamin Bittner

    Calling CreateProcessWithLogonW

    Benjamin Bittner, Jul 1, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    3,330
    =?Utf-8?B?QWxzdGVyc2pv?=
    Jul 5, 2004
  3. Ryan Ternier
    Replies:
    4
    Views:
    4,045
    Cowboy \(Gregory A. Beamer\) [MVP]
    Jul 29, 2004
  4. =?Utf-8?B?VG9kZCBC?=

    CreateProcessWithLogonW

    =?Utf-8?B?VG9kZCBC?=, Aug 1, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    679
    =?Utf-8?B?VG9kZCBC?=
    Aug 1, 2005
  5. Todd B

    CreateProcessWithLogonW

    Todd B, Jul 26, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    465
    Todd B
    Aug 1, 2005
Loading...

Share This Page