Createprocessasuser Error 5
Contents |
Campos MagencioMarch 9, 20122 0 0 0 Hi all, The other day I worked on a support case where a Windows service running as System in Session 0 was creating a processalso running as System
Create_breakaway_from_job
in Session 0, and this new process failed to create another process in the failed to create process access is denied netbeans logged-on user's session (Session 2 in this particular case). And it failed because CreateProcessAsUser API didn't work and returned error failed to create process access is denied (5) 5 (Access Denied). Note the issue happened on Windows 7, and because of Session 0 Isolation the logged-on user and the service (and its child process running as System) were running in different sessions.
Createprocessasuser Example C++
To understand what was going on exactly, I did some kernel debugging of the issue and saw that the error in CreateProcessAsUser happened when trying to bind the process we were trying to spawn to its parent's Job (the Job that the process that the service spawned as System was a member of). Indeed, I could verify with Process Explorerthat the process running as System in Session
Detached_process
0 was member of a Job, by checking the properties of the process and going to the Job tab (note: when there is no Job, there is no Job tab). After a process is associated with a job, by default any child processes it creates are also associated with the job (see Job Objects for more details on this). But the following is also documented: AssignProcessToJobObject function"Terminal Services: All processes within a job must run within the same session as the job." Which means that, as the new process we are trying to create is in a different session than its parent, we will fail to bind it to its parent's Job. The only way to work around this, would be to create the process in the different session by passing this flag to the CreateProcessAsUser API: Process Creation Flags“CREATE_BREAKAWAY_FROM_JOB 0x01000000The child processes of a process associated with a job are not associated with the job. If the calling process is not associated with a job, this constant has no effect. If the calling process is associated with a job, the job must set the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit. “ I hope this helps. Regards, Alex (Alejandro Campos Magencio) Tags NT Services Windows
here for a quick overview of the site Help Center Detailed answers to any questions createprocesswithlogonw you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a https://blogs.msdn.microsoft.com/alejacma/2012/03/09/createprocessasuser-fails-with-error-5-access-denied-when-using-jobs/ community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up CreateProcessAsUser generating error 5 up vote 0 down vote favorite 2 I've tried mixing the code here and here to run an GUI exe from a service that was initialized through QtService, but http://stackoverflow.com/questions/32638655/createprocessasuser-generating-error-5 whenever I run the code bellow I get an error 5 from the CreateProcessAsUser. Also, I saw the answer to a similar question here on StackOverflow but couldn't figure out how the DACL is related with the problem, and can't use the answer by Harry Johnson because I wouldn't have the logon info from the users. So, can someone help me understand why am I receiving the error 5 (Acess Denied) from the code below? if(initUiWin()) log->write("InitUiWin executed."); else { QString errorNumber = QString::number(GetLastError()); log->write("InitUiWin error: " + errorNumber); } - bool initUiWin() { // obtain the currently active session id; every logged on // User in the system has a unique session id uint dwSessionId = WTSGetActiveConsoleSessionId(); // obtain the process id of the winlogon process that // is running within the currently active session QString processName("winlogon.exe"); DWORD winlogonPID = FindProcessId(processName.toStdWString(),dwSessionId); if( winlogonPID != 0 ) { HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, winlogonPID); HANDLE hToken; OpenProcessToken(hProcess
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company http://stackoverflow.com/questions/22161929/createprocessasuser-under-local-system-admin-returns-5-acces-denied Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up CreateProcessAsUser under Local System Admin returns “5: acces denied” up vote 0 down vote favorite 1 I've been struggling to launch a failed to process started under Local System Account (via remote deployment service) under another registered user account. I've followed these steps: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379608%28v=vs.85%29.aspx And it works on my local XP-machine. I.e. my process is started from the registered user account and executes everything in the right context. But one of the users (also on XP) has issues, getting error code 5 after CreateProcessAsUser. I cannot reproduce this and am trying to investigate why this is happening. Interestingly failed to create I even removed the permissions to Read/Execute for my registered admin on a specific folder I've got my exe in, but it still runs everything, so I'm not quite sure where to look to find the source of the problem. I would appreciate any advice in which direction to look in order to resolve this. Maybe you've had similar experience and managed to find a way how to resolve this? Thanks! PS I'm simulating local system admin via psexec /si cmd c windows winapi admin sccm share|improve this question edited Mar 4 '14 at 10:00 asked Mar 4 '14 at 2:51 user1552175 637 1 I think you've got the wrong link there. –Harry Johnston Mar 4 '14 at 3:23 Does the account have the appropriate logon right? (Which logon right is needed depends on the flags you've passed to LogonUser.) –Harry Johnston Mar 4 '14 at 3:25 @HarryJohnston: Thanks, fixed the link. As I mentioned it works fine on my machine when I'm under system account and the user can run the process when he's logged in under the target user account (i.e. the user has the right to execute this binary). So not exactly sure why access is denied. BTW As a side note, the package is advertised through SCCM, so I wonder if ther