我有一个使用提升权限运行的C#Windows服务。服务的一项工作是创建一个新的本地用户帐户并使用该帐户执行一些设置任务(设置一些注册表设置,等等)。该服务在"本地系统"帐户。
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
using (var proc = new Process())
using (var password = new SecureString())
{
foreach (var c in accountPassword)
{
password.AppendChar(c);
}
proc.StartInfo = new ProcessStartInfo(
pathToExecutable,
arguments)
{
LoadUserProfile = true,
UseShellExecute = false,
CreateNoWindow = true,
RedirectStandardError = true,
RedirectStandardInput = true,
RedirectStandardOutput = true,
Domain = accountDomain,
UserName = accountName,
Password = password
};
StringWriter outWriter = new StringWriter(), errWriter = new StringWriter();
proc.OutputDataReceived += (o, e) => outWriter.Write(e.Data);
proc.ErrorDataReceived += (o, e) => errWriter.Write(e.Data);
proc.EnableRaisingEvents = true;
proc.Start(); // <-- exception thrown here
...
System.ComponentModel.Win32Exception (0x80004005): Access is denied at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo) at ...
如果我转到本地服务控制面板,我可以更改服务,使其以管理员的帐户运行(即#34; JoeAdmin&#34;,而不是&#34;管理员&#34;) ,该计划是成功的。这部分令人沮丧:我尝试从服务中运行whoami.exe /priv以查看我拥有的特权&#34; JoeAdmin&#34;我没有&#34;本地系统&#34;这会导致程序失败。剧透:根据whoami,&#34; Local System&#34;拥有&#34; JoeAdmin&#34;的所有特权。有一个例外(SeRemoteShutdownPrivilege,我希望这并不重要)。
(提醒一下,操作失败并具有这些权限。)
PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
(操作成功获得这些权限。)
PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
我可以从本地系统帐户生成进程吗?或者,
该服务由WiX安装程序安装,我是否可以通过安装程序为服务提供正确的权限?
<ServiceInstall
Id="ServiceInstaller"
Type="ownProcess"
Name="MyCoolService"
DisplayName="My Cool Service"
Description="My Cool Service Component"
Start="auto"
ErrorControl="normal" />