CreateProcessWithLogonW和ASP.NET [英] CreateProcessWithLogonW and ASP.NET

问题描述

我试图从

网页的服务器端代码中使用CreateProcessWithLogonW（是的，我想在服务器上创建一个进程）并且没有太多

运气。


我正在尝试运行VPScan，一个不受支持的命令行病毒扫描程序来自Symantec的
，用于检查上传的文件是否有病毒。起初，我用一个DLL包装了

VPScan并将其作为COM +组件运行，发现只有当有人登录并且设置为运行时它才能工作

作为交互式的

用户。这个小命令行工具由于某种原因需要用户登录。它实际上需要访问HKEY_CURRENT_USER（我用regmon验证了这个

）。 br />

然后我查看了System.Diagnostics.Process对象，发现它没有b $ b无法执行run as。然后我尝试模拟和DuplicateTokenEx和

发现，因为ASP.NET在线程级别实现模拟并且

不是进程级别，我总是得到ASPNET的令牌帐户。不好。


我认为CreateProcessWithTokenW对我有用，但最终结果

需要在Windows XP Pro（开发机器），Windows Server上运行2000

和Windows Server 2003. CreateProcessWithTokenW仅适用于Windows

Server 2003.


然后我将注意力转向CreateProcessWithLogonW。从我读过的，

这对XP SP2没有用，人们建议回到

LoadUserProfile和CreateProcessAsUser。但是我正在阅读为了使这个工作起作用，创建用户上下文需要作为

操作系统的一部分。用户权利。这对我来说绝对不是一个选项。


任何人都可以告诉我，事实上，CreateProcessWithLogonW确实可以从ASP.NET应用程序中运行
正确登录指定的用户

表示执行指定进程所需的时间长度？感谢

的帮助。


- 戴夫

解决方案

< blockquote>

" David Davidson" <哒************ @ newsgroup.nospam>在消息中写道

新闻：49 ********************************** @ microsof t.com ...

我试图从
网页的服务器端代码中使用CreateProcessWithLogonW（是的，我想在服务器上创建一个进程）并且没有多少运气。

我正在尝试运行来自赛门铁克的VPScan，一个不受支持的命令行病毒扫描程序来检查上传的文件病毒。首先，我用一个DLL包装了VPScan并将其作为一个COM +组件运行，发现它只有在有人登录并且设置为以交互方式运行时才会工作
用户。这个小命令行工具，出于某种原因，需要一个
用户登录。它实际上需要访问HKEY_CURRENT_USER（我用regmon验证了这个
）。然后我查看了System.Diagnostics.Process对象，发现它无法执行run as。然后我尝试了模拟和DuplicateTokenEx
并且发现，由于ASP.NET在线程级别实现模拟，而不是进程级别，我总是得到ASPNET帐户的令牌。不好

我认为CreateProcessWithTokenW对我有用，但结果
结果需要在Windows XP Pro（开发机器），Windows Server上运行2000
和Windows Server 2003. CreateProcessWithTokenW仅适用于Windows
Server 2003.

然后我将注意力转向CreateProcessWithLogonW。从我读过的内容来看，
这对XP SP2没有用，人们建议回到
LoadUserProfile和CreateProcessAsUser。但是我正在阅读，为了使这个工作起作用，创建用户上下文需要作为操作系统的一部分。用户权利。这对我来说绝对不是一个选择。

任何人都可以肯定地告诉我，CreateProcessWithLogonW确实在ASP.NET应用程序中工作并正确登录指定
用户
指定进程执行的时间长度？感谢

帮助。

- Dave

CreateProcessWithLogonW需要W2K或更高版本，只有限制是

你不能从作为LocalSystem运行的进程中调用它。


所有你需要知道的关于CreateProcessWithLogonW的信息可以在
$中找到b $ b Platform SDK文档：
http://msdn.microsoft.com/library/de...withlogonw.asp


Willy。


Willy。

老兄，我在P / Invokes时住在图书馆。 :)


我有一个可以在WinForms或控制台应用程序中正常工作的实现，

但是无法使用WebForms应用程序。从我在其他论坛中读到的内容，

这是因为CreateProcessWithLogonW在ASPNET的用户

上下文中运行。 WinXP SP2及更高版本添加了一个SecLogon服务来处理所有run as

调用，并且出于安全原因它不允许来自ASPNET的调用。我在非Microsoft论坛上看过这个，但现在我正在寻找

官方微软新闻组的验证。有谁知道这是真的吗？


- 戴夫

Willy Denoyette [MVP]"写道：

David Davidson <哒************ @ newsgroup.nospam>在消息中写道
新闻：49 ********************************** @ microsof t.com。 ..

我试图从
网页的服务器端代码中使用CreateProcessWithLogonW（是的，我想在服务器上创建一个进程）而没有
很多
运气。

我正在尝试运行来自赛门铁克的VPScan，这是一个不受支持的命令行病毒扫描程序，用于检查上传的文件是否存在病毒。首先，我用一个DLL包装了VPScan并将其作为一个COM +组件运行，发现它只有在有人登录并且设置为以交互方式运行时才会工作
用户。这个小命令行工具，出于某种原因，需要一个
用户登录。它实际上需要访问HKEY_CURRENT_USER（我用regmon验证了这个
）。然后我查看了System.Diagnostics.Process对象，发现它无法执行run as。然后我尝试了模拟和DuplicateTokenEx
并且发现，由于ASP.NET在线程级别实现模拟，而不是进程级别，我总是得到ASPNET帐户的令牌。不好

我认为CreateProcessWithTokenW对我有用，但结果
结果需要在Windows XP Pro（开发机器），Windows Server上运行2000
和Windows Server 2003. CreateProcessWithTokenW仅适用于Windows
Server 2003.

然后我将注意力转向CreateProcessWithLogonW。从我读过的内容来看，
这对XP SP2没有用，人们建议回到
LoadUserProfile和CreateProcessAsUser。但是我正在阅读，为了使这个工作起作用，创建用户上下文需要作为操作系统的一部分。用户权利。这对我来说绝对不是一个选择。

任何人都可以肯定地告诉我，CreateProcessWithLogonW确实在ASP.NET应用程序中工作并正确登录指定
用户
指定进程执行的时间长度？感谢
提供帮助。

- Dave

CreateProcessWithLogonW需要W2K或更高版本，唯一的限制就是
你无法从作为LocalSystem运行的进程中调用它。

您可以在
Platform SDK文档中找到有关CreateProcessWithLogonW的所有信息：
http：// msdn。 microsoft.com/library/de...withlogonw.asp

Willy。

Willy。

嗨Dave，


AS为CreateProcessWithLogonW，根据我的研究，主要问题

限制了它的使用在asp.net网络应用程序中，

CreateProcessWithLogonW（）内部连接到名为

辅助登录服务的服务。通过命名管道。辅助登录服务

使用DACL保护此管道，该DACL仅授予本地

管理员，本地系统和交互式用户访问的成员;所有其他人

被特别拒绝访问。由于ASPNET帐户在其令牌中具有服务

和批量权限，因此拒绝访问命名管道。所以我建议你不要在asp.net或其他

非交互式（批量或服务登录）服务中使用CreateProcessWithLogonW函数....


谢谢，


Steven Cheng

Microsoft在线支持


安全！ www.microsoft.com/security

（此帖子按原样提供，不作任何保证，并且不授予

权利。）


------------ --------

| Thread-Topic：CreateProcessWithLogonW和ASP.NET

| thread-index：AcXZ4pjFWT / QAXfER8KH / 6tynIACLA ==

| X-WBNR-Posting-Host：209.218.132.3

|来自：=？Utf-8？B？RGF2aWQgRGF2aWRzb24 =？= < da ************ @ newsgroup.nospam>

|参考文献：< 49 ********************************** @ microsoft.co m>

< u5 ************** @ TK2MSFTNGP15.phx.gbl>

|主题：Re：CreateProcessWithLogonW和ASP.NET

|日期：2005年10月25日星期二21:06:09 -0700

|行数：80

|消息ID：< 34 ********************************** @ microsoft.co m>

| MIME版本：1.0

|内容类型：text / plain;

| charset =" Utf-8"

|内容传输编码：7位

| X-Newsreader：适用于Windows 2000的Microsoft CDO

| Content-Class：urn：content-classes：message

|重要性：正常

|优先级：正常

| X-MimeOLE：由Microsoft MimeOLE制作V6.00.3790.0

|新闻组：microsoft.public.dotnet.languages.csharp

| NNTP-Posting-Host：TK2MSFTNGXA03.phx.gbl 10.40.2.250

|路径：TK2MSFTNGXA01.phx.gbl！TK2MSFTNGXA03.phx.gbl

|外翻：TK2MSFTNGXA01.phx.gbl

microsoft.public.dotnet.languages.csharp：131787

| X-Tomcat-NG：microsoft.public.dotnet.languages.csharp

|

|伙计，我在P / Invokes时住在图书馆。 :)

|

|我有一个可以在WinForms或控制台上运行良好的实现

app，

|但是不能使用WebForms应用程序。从我在其他

论坛上读到的内容，

|这是因为CreateProcessWithLogonW在ASPNET的用户中运行

|上下文。 WinXP SP2及更高版本添加了一个SecLogon服务来处理所有运行

as

|由于安全原因，它不允许来自ASPNET的呼叫。我已经

阅读

|这在非Microsoft论坛中，所以现在我在这里寻找验证



|官方微软新闻组。有谁知道这是真的吗？

|

| - 戴夫

|

|

| Willy Denoyette [MVP]"写道：

|

| >

| > 戴维戴维森 <哒************ @ newsgroup.nospam>在消息中写道

| >新闻：49 ********************************** @ microsof t.com ...

| > >我试图从服务器端使用CreateProcessWithLogonW

代码

| > > a

| > >网页（是的，我想在服务器上创建一个进程）而不是

有

| > >很多

| > >好运。

| > >

| > >我试图运行VPScan，一个不受支持的命令行病毒

扫描仪

| > >来自Symantec，检查上传的文件是否有病毒。起初，我把b $ b包裹起来

| > >带有DLL的VPScan并将其作为COM +组件运行并发现它

将

| > >工作

| > >只有当有人登录并且它被设置为以

交互式运行时

| > >用户。这个小命令行工具，出于某种原因，要求

a

| > >用户

| > >登录。它实际上需要访问HKEY_CURRENT_USER（我已经过验证

|>>这个

|>>与regmon ）。

| > >

| > >然后我查看了System.Diagnostics.Process对象，发现

它

| > >不能做跑。然后我尝试模仿和

DuplicateTokenEx

| > >和

| > >发现，因为ASP.NET在线程上实现模拟

级别和

| > >不是进程级别，我总是得到ASPNET帐户的令牌。

不是

| > >好的。

| > >

| > >我以为CreateProcessWithTokenW对我有用，但结束了

| > >结果

| > >需要在Windows XP Pro（开发机器），Windows Server上运行

2000

| > >和Windows Server 2003. CreateProcessWithTokenW仅适用于

Windows

| > > Server 2003.

| > >

| > >然后我把注意力转向了CreateProcessWithLogonW。从什么

我已经

| > >阅读，

| > >这不适用于XP SP2，人们建议回到

| > > LoadUserProfile和CreateProcessAsUser。但我正在阅读

命令

| > >对于

| > >这项工作，创建用户上下文需要作为

|的一部分> > 操作系统用户权利。这绝对不是

我的选择。

| > >

| > >任何人都可以肯定地告诉我CreateProcessWithLogonW，

in

| > >事实上，

| > >从ASP.NET应用程序工作并正确登录指定的



| > >用户

| > >指定进程执行的时间长度？

谢谢

| > >对于

| > >帮助。

| > >

| > > - 戴夫

| > >

| >

| > CreateProcessWithLogonW需要W2K或更高版本，只有限制是



| >你不能从作为LocalSystem运行的进程中调用它。

| >

| >您可以在

|中找到有关CreateProcessWithLogonW的所有信息> Platform SDK文档：

| >
http://msdn.microsoft.com/library/de...us/dllproc/bas

e / createprocesswithlogonw.asp

| >

| >威利。

| >

| >威利。

| >

| >

| >

|

I am attempting to use CreateProcessWithLogonW from the server-side code of a
web page (yes, I want to create a process on the server) and not having much
luck.

I am attempting to run VPScan, an unsupported command-line virus scanner
from Symantec, to check an uploaded file for viruses. At first, I wrapped
VPScan with a DLL and ran it as a COM+ component and found that it would work
only when someone was logged on and it was set to run as the interactive
user. This little command-line tool, for some reason, requires that a user
be logged in. It actually needs access to HKEY_CURRENT_USER (I verified this
with regmon).

I then looked into the System.Diagnostics.Process object and found that it
couldn''t do a "run as." Then I tried impersonation and DuplicateTokenEx and
found that, since ASP.NET implements impersonation at the thread level and
not the process level, I always got a token for the ASPNET account. Not good.

I thought that CreateProcessWithTokenW would work for me, but the end result
needs to run on Windows XP Pro (development machines), Windows Server 2000
and Windows Server 2003. CreateProcessWithTokenW only works on Windows
Server 2003.

Then I turned my attention to CreateProcessWithLogonW. From what I''ve read,
this doesn''t work with XP SP2 and people are suggesting going back to
LoadUserProfile and CreateProcessAsUser. But I''m reading that in order for
this to work, the creating user context needs the "Act as part of the
operating system" user right. This is definitely not an option for me.

Can anybody tell me definitively that CreateProcessWithLogonW does, in fact,
work from an ASP.NET application and does properly log on the specified user
for the length of time it takes the specified process to execute? Thanks for
the help.

- Dave

解决方案

"David Davidson" <da************@newsgroup.nospam> wrote in message
news:49**********************************@microsof t.com...

I am attempting to use CreateProcessWithLogonW from the server-side code of
a
web page (yes, I want to create a process on the server) and not having
much
luck.

I am attempting to run VPScan, an unsupported command-line virus scanner
from Symantec, to check an uploaded file for viruses. At first, I wrapped
VPScan with a DLL and ran it as a COM+ component and found that it would
work
only when someone was logged on and it was set to run as the interactive
user. This little command-line tool, for some reason, requires that a
user
be logged in. It actually needs access to HKEY_CURRENT_USER (I verified
this
with regmon).

I then looked into the System.Diagnostics.Process object and found that it
couldn''t do a "run as." Then I tried impersonation and DuplicateTokenEx
and
found that, since ASP.NET implements impersonation at the thread level and
not the process level, I always got a token for the ASPNET account. Not
good.

I thought that CreateProcessWithTokenW would work for me, but the end
result
needs to run on Windows XP Pro (development machines), Windows Server 2000
and Windows Server 2003. CreateProcessWithTokenW only works on Windows
Server 2003.

Then I turned my attention to CreateProcessWithLogonW. From what I''ve
read,
this doesn''t work with XP SP2 and people are suggesting going back to
LoadUserProfile and CreateProcessAsUser. But I''m reading that in order
for
this to work, the creating user context needs the "Act as part of the
operating system" user right. This is definitely not an option for me.

Can anybody tell me definitively that CreateProcessWithLogonW does, in
fact,
work from an ASP.NET application and does properly log on the specified
user
for the length of time it takes the specified process to execute? Thanks
for
the help.

- Dave

CreateProcessWithLogonW requires W2K or higher, only restriction is that
you can''t call it from a process running as LocalSystem.

All you need to know about CreateProcessWithLogonW can be found in the
Platform SDK documentation:
http://msdn.microsoft.com/library/de...withlogonw.asp

Willy.

Willy.

Dude, I live in the library when doing P/Invokes. :)

I have an implementation that works fine from a WinForms or a console app,
but doesn''t work from a WebForms app. From what I''ve read in other forums,
this is because CreateProcessWithLogonW is running in the ASPNET''s user
context. WinXP SP2 and above added a SecLogon service to handle all "run as"
calls and it disallows the call from ASPNET for security reasons. I''ve read
this in non-Microsoft forums, so now I''m looking for verification here in the
official Microsoft newsgroups. Anybody know if this is true?

- Dave
"Willy Denoyette [MVP]" wrote:

"David Davidson" <da************@newsgroup.nospam> wrote in message
news:49**********************************@microsof t.com...

I am attempting to use CreateProcessWithLogonW from the server-side code of
a
web page (yes, I want to create a process on the server) and not having
much
luck.

I am attempting to run VPScan, an unsupported command-line virus scanner
from Symantec, to check an uploaded file for viruses. At first, I wrapped
VPScan with a DLL and ran it as a COM+ component and found that it would
work
only when someone was logged on and it was set to run as the interactive
user. This little command-line tool, for some reason, requires that a
user
be logged in. It actually needs access to HKEY_CURRENT_USER (I verified
this
with regmon).

I then looked into the System.Diagnostics.Process object and found that it
couldn''t do a "run as." Then I tried impersonation and DuplicateTokenEx
and
found that, since ASP.NET implements impersonation at the thread level and
not the process level, I always got a token for the ASPNET account. Not
good.

I thought that CreateProcessWithTokenW would work for me, but the end
result
needs to run on Windows XP Pro (development machines), Windows Server 2000
and Windows Server 2003. CreateProcessWithTokenW only works on Windows
Server 2003.

Then I turned my attention to CreateProcessWithLogonW. From what I''ve
read,
this doesn''t work with XP SP2 and people are suggesting going back to
LoadUserProfile and CreateProcessAsUser. But I''m reading that in order
for
this to work, the creating user context needs the "Act as part of the
operating system" user right. This is definitely not an option for me.

Can anybody tell me definitively that CreateProcessWithLogonW does, in
fact,
work from an ASP.NET application and does properly log on the specified
user
for the length of time it takes the specified process to execute? Thanks
for
the help.

- Dave

CreateProcessWithLogonW requires W2K or higher, only restriction is that
you can''t call it from a process running as LocalSystem.

All you need to know about CreateProcessWithLogonW can be found in the
Platform SDK documentation:
http://msdn.microsoft.com/library/de...withlogonw.asp

Willy.

Willy.

Hi Dave,

AS for the CreateProcessWithLogonW , based on my research, the main problem
which limited its usage in asp.net web app is that
CreateProcessWithLogonW() internally connects to a service called the
"secondary logon service" via a named pipe. The secondary logon service
secures this pipe with a DACL that grants only members of the local
administrators, local system and the interactive users access; all others
are specifically denied access. Since the ASPNET account has the service
and batch rights in its token, it is denied access to the named pipe. So I
suggest you no use the CreateProcessWithLogonW function in asp.net or other
non-interactive (batch or serivce logon ) service....

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| Thread-Topic: CreateProcessWithLogonW and ASP.NET
| thread-index: AcXZ4pjFWT/QAXfER8KH/6tynIACLA==
| X-WBNR-Posting-Host: 209.218.132.3
| From: "=?Utf-8?B?RGF2aWQgRGF2aWRzb24=?=" <da************@newsgroup.nospam>
| References: <49**********************************@microsoft.co m>
<u5**************@TK2MSFTNGP15.phx.gbl>
| Subject: Re: CreateProcessWithLogonW and ASP.NET
| Date: Tue, 25 Oct 2005 21:06:09 -0700
| Lines: 80
| Message-ID: <34**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.languages.csharp
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.languages.csharp:131787
| X-Tomcat-NG: microsoft.public.dotnet.languages.csharp
|
| Dude, I live in the library when doing P/Invokes. :)
|
| I have an implementation that works fine from a WinForms or a console
app,
| but doesn''t work from a WebForms app. From what I''ve read in other
forums,
| this is because CreateProcessWithLogonW is running in the ASPNET''s user
| context. WinXP SP2 and above added a SecLogon service to handle all "run
as"
| calls and it disallows the call from ASPNET for security reasons. I''ve
read
| this in non-Microsoft forums, so now I''m looking for verification here in
the
| official Microsoft newsgroups. Anybody know if this is true?
|
| - Dave
|
|
| "Willy Denoyette [MVP]" wrote:
|
| >
| > "David Davidson" <da************@newsgroup.nospam> wrote in message
| > news:49**********************************@microsof t.com...
| > >I am attempting to use CreateProcessWithLogonW from the server-side
code of
| > >a
| > > web page (yes, I want to create a process on the server) and not
having
| > > much
| > > luck.
| > >
| > > I am attempting to run VPScan, an unsupported command-line virus
scanner
| > > from Symantec, to check an uploaded file for viruses. At first, I
wrapped
| > > VPScan with a DLL and ran it as a COM+ component and found that it
would
| > > work
| > > only when someone was logged on and it was set to run as the
interactive
| > > user. This little command-line tool, for some reason, requires that
a
| > > user
| > > be logged in. It actually needs access to HKEY_CURRENT_USER (I
verified
| > > this
| > > with regmon).
| > >
| > > I then looked into the System.Diagnostics.Process object and found
that it
| > > couldn''t do a "run as." Then I tried impersonation and
DuplicateTokenEx
| > > and
| > > found that, since ASP.NET implements impersonation at the thread
level and
| > > not the process level, I always got a token for the ASPNET account.
Not
| > > good.
| > >
| > > I thought that CreateProcessWithTokenW would work for me, but the end
| > > result
| > > needs to run on Windows XP Pro (development machines), Windows Server
2000
| > > and Windows Server 2003. CreateProcessWithTokenW only works on
Windows
| > > Server 2003.
| > >
| > > Then I turned my attention to CreateProcessWithLogonW. From what
I''ve
| > > read,
| > > this doesn''t work with XP SP2 and people are suggesting going back to
| > > LoadUserProfile and CreateProcessAsUser. But I''m reading that in
order
| > > for
| > > this to work, the creating user context needs the "Act as part of the
| > > operating system" user right. This is definitely not an option for
me.
| > >
| > > Can anybody tell me definitively that CreateProcessWithLogonW does,
in
| > > fact,
| > > work from an ASP.NET application and does properly log on the
specified
| > > user
| > > for the length of time it takes the specified process to execute?
Thanks
| > > for
| > > the help.
| > >
| > > - Dave
| > >
| >
| > CreateProcessWithLogonW requires W2K or higher, only restriction is
that
| > you can''t call it from a process running as LocalSystem.
| >
| > All you need to know about CreateProcessWithLogonW can be found in the
| > Platform SDK documentation:
| >
http://msdn.microsoft.com/library/de...us/dllproc/bas
e/createprocesswithlogonw.asp
| >
| > Willy.
| >
| > Willy.
| >
| >
| >
|

这篇关于CreateProcessWithLogonW和ASP.NET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！