[python-win32] Interacting with the desktop as a service onVista

Matt Herbert (matherbe) matherbe at cisco.com
Fri Oct 24 22:01:07 CEST 2008 

Hey all,

So I think I found the missing piece of the riddle. My problem was that
the sub process I was creating via CreateProcessAsUser was ending up on
the default desktop of terminal services session 0. This is where all
services end up on Vista. The interactive desktop, however, is on
terminal services session 1 (usually). So, instead of using the
LogonUser function, I should have used the WTSQueryUserToken() function
to get the token of logged on user (requires SE_TCB_NAME privilege).

The long and the short of it, if you have a service that needs to
interact with the user, then the basic outline of the steps you will
need to perform is:

    session = WTSGetActiveConsoleSessionId() *[1]
    <add SE_TCB_NAME privilege>
    token = WTSQueryUserToken(session)
    CreateProcessAsUser(token, ...)
    <remove SE_TCB_NAME privilege>
    token.Close()

You may also need to Impersonate the user if there is question of
whether or not the service would be able to access the executable you
are trying to run. Also, with this method, you do not have to mess
around with the DACL's for the different windows stations and desktops
... Much easier!

NOTES:

[1] On my python (active state 2.5.1), the
WTSGetActiveConsoleSessionId() function raises NotImplementedError.
However, I can easily run it by just invoking it through ctypes:
ctypes.windll.kernel32.WTSGetActiveConsoleSessionId() Is this a bug?

-Matt
    

> -----Original Message-----
> From: python-win32-bounces+matherbe=cisco.com at python.org 
> [mailto:python-win32-bounces+matherbe=cisco.com at python.org] 
> On Behalf Of Tim Roberts
> Sent: Friday, October 24, 2008 2:41 PM
> To: Python-Win32 List
> Subject: Re: [python-win32] Interacting with the desktop as a 
> service onVista
> 
> Matt Herbert (matherbe) wrote:
> > Steven,
> >  
> > Thanks, I will give this a try.
> >  
> > So then, is it fair to say that it is not possible (on 
> Vista) to have 
> > a service spawn a process as a different user, and have that new 
> > process interact with the desktop?
> 
> No, that's not fair to say!  The mechanism you are using should work. 
> That's the mechanism Microsoft recommends. There's something 
> going wrong in the process, but the concept is correct.  I 
> didn't reply because I couldn't spot the problem off the top 
> of my head, but you are on the right track.
> 
> --
> Tim Roberts, timr at probo.com
> Providenza & Boekelheide, Inc.
> 
> _______________________________________________
> python-win32 mailing list
> python-win32 at python.org
> http://mail.python.org/mailman/listinfo/python-win32
>

More information about the python-win32 mailing list