How to run an application under active session account from a Windows service using Delphi
To run an application from a service impersonating an user account, first we need to install "JEDI API Library & Security Code Library" as it contains different interesting OS callings which are really useful in order to achieve our purposes. Once the library has been unzipped, create your own service where the library is located and add the following paths to your search path in your project options:
Then instead of using CreateProcess function to execute an application, we need to use CreateProcessAsUser function. The new process runs in the security context of the user represented by the specified token. The service must be run by the LocalSystem account which is a predefined local account used by the service control manager. To be able to use the function from jedi-apilib which retrieves the token from the current user we need to use WTSQueryUserToken ( WtsGetActiveConsoleSessionID, hToken ) function. This function will only work under LocalSystem account which has SE_TCB_NAME property enabled, otherwise the query will be false.
Use the following example within your service:
Related links:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .\JEDI API 2.3 and JEDI WSCL 0.9.3\jwa\branches\2.3\Common | |
| .\JEDI API 2.3 and JEDI WSCL 0.9.3\jwa\branches\2.3\Win32API |
Then instead of using CreateProcess function to execute an application, we need to use CreateProcessAsUser function. The new process runs in the security context of the user represented by the specified token. The service must be run by the LocalSystem account which is a predefined local account used by the service control manager. To be able to use the function from jedi-apilib which retrieves the token from the current user we need to use WTSQueryUserToken ( WtsGetActiveConsoleSessionID, hToken ) function. This function will only work under LocalSystem account which has SE_TCB_NAME property enabled, otherwise the query will be false.
Use the following example within your service:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uses | |
| ComObj, ActiveX, JwaWinbase, JwaWtsApi32; | |
| {$R *.DFM} | |
| procedure ServiceController(CtrlCode: DWORD); stdcall; | |
| begin | |
| ServiceExample.Controller(CtrlCode); | |
| end; | |
| function TServiceExample.GetServiceController: TServiceController; | |
| begin | |
| Result := ServiceController; | |
| end; | |
| procedure TServiceExample.ServiceExecute(Sender: TService); | |
| begin | |
| Timer1.Enabled := True; | |
| while not Terminated do | |
| ServiceThread.ProcessRequests(True); // wait for termination | |
| Timer1.Enabled := False; | |
| end; | |
| procedure TServiceExample.Timer1Timer(Sender: TObject); | |
| const | |
| ProgramName = 'C:\myTestproject1.exe'; | |
| var | |
| hToken: THandle; | |
| StartupInfo: Windows.TStartupInfo; | |
| ProcessInfo: Windows.TProcessInformation; | |
| res: boolean; | |
| begin | |
| Windows.GetStartupInfo(StartupInfo); | |
| if WTSQueryUserToken(WtsGetActiveConsoleSessionID, hToken) then | |
| begin | |
| res := Windows.CreateProcessAsUser(hToken, ProgramName, nil, nil, nil, False, CREATE_NEW_CONSOLE, nil, nil, StartupInfo, ProcessInfo); | |
| if res then | |
| WaitForSingleObject(ProcessInfo.hProcess,INFINITE); | |
| end; | |
| end; |
Related links:
Wrote about that while ago. Also with example project:
ReplyDeletehttp://www.cromis.net/blog/2010/01/how-to-start-a-gui-process-from-service-under-windows-vista7/
Thanks for letting me know. It is actually a very good article.
DeleteThanks very much for this example. This is the only working version in delphi i have found.
ReplyDeleteMuch less code and still working fine. Thanks again for share this code.
Glad that it helped!
DeleteRegards,
Jordi
Thank you for great such great article. Now I can actually make use of JEDI API.
ReplyDeleteThank you, great help.
ReplyDeleteI have noticed you are using the ttimer component, can I use any kind of none-visual components? for example a shell notification component should work? ate there any limitations?
Hi Zvika,
DeleteIt should be fine, you can use any kind of component.
Cheers,
Jordi
Thanks for the example! According to https://docs.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsqueryusertoken
ReplyDeleteYou must call closehandle to close the handle