C++/VB - CreateProcessAsUser fails with 233 (No process is on the other end of the pipe), XP

Asked By blackbor

14-Aug-07 01:24 PM

Hi.
I'm having a very strange behavior - CreateProcessAsUser fails with
error 233 when called from service while logon screen active. Service
tries to create a process when new console session connected, so when
it receives the SERVICE_CONTROL_SESSIONCHANGE notofication with the
WTS_CONSOLE_CONNECT, it obtains a user token (via WTSQueryUserToken or
OpenProcessToken/DuplicateTokenEx/SetTokenInformation - no sense). In
most cases it works well, but when it create a process after user
logoff (and now system in logon screen) it fails with error 233.
How to reproduce it:
1. Logon as console user (session 0)
2. Switch user (logon screen, session 0)
3. Logon another user (session 1) (CreateProcessAsUser succeeded)
4. Logoff another user (logon screen, session 2) (CreateProcessAsUser
fails, 233)

In my sample i'm trying to launch calc.exe, and in vista it works
well, problem appears only with the Windows XP.

Anyone else seen a similar issue, or know why this is happening? If it
helps, i can upload a sample to reproduce this behavior...

Thanks.

--
Andrew Solodovnikov

30-Oct-07 11:35 AM

Hi there,

same problem for me, do you have any solution right now?

Greetings
(Sorry for my previous post)

02-Nov-07 08:19 AM

Hi,

I've debugged a little bit with the kernel debugger, and have found the
problem: CreateProcessAsUser uses internally, when creating a process in an
other session, the function CreateRemoteProcessW from ADVAPI32.DLL. This
function opens a pipe with the name
\\.\Pipe\TerminalServer\SystemExecSrvr\%d where %d is the SessionID and
sending the request over to csrss.exe. And now the problem. After logging off
from a session other than 0 csrss.exe does not create this pipe or
CreateRemoteProcessW  is not able to read the pipe. CreateRemoteProcessW is
able to open the pipe and write to it. Is here anyone from MS listening and
can tell me what to do to get CreateProcessAsUser to work?

Thanks in advance
Thomas Graefenhain

30-Dec-07 05:55 AM

I disassemble advapi32.dll and simulate the not-exported function
CreateRemoteSessionProcessW, you can try and  perhaps resolve your
problem.

Known Issues:
1.Only WinXP can use the function, Vista MUST not use
2.Session 0 can't use the function, consider service always run in
session 0, this problem is not a problem.
3.When u failed with  2 (ERROR_FILE_NOT_FOUND) then u should wait a
moment and try again, I consider this is WinXP bug:),
4.When second parameter is TRUE, then hToken won't be used to create
new process. If u call CreateProcessAsUser and failed with 233, then u
should set second parameter to TRUE


typedef BOOLEAN (WINAPI* pWinStationQueryInformationW)(
IN   HANDLE hServer,
IN   ULONG LogonId,
IN   DWORD /*WINSTATIONINFOCLASS*/ WinStationInformationClass,
OUT  PVOID pWinStationInformation,
IN   ULONG WinStationInformationLength,
OUT  PULONG pReturnLength
);
DWORD MarshallString(LPCWSTR	pszText, LPVOID, DWORD	dwMaxSize,LPBYTE*
ppNextBuf, DWORD* pdwUsedBytes)
{
DWORD	dwOffset =3D *pdwUsedBytes;
if(!pszText)
return 0;
DWORD	dwLen =3D (wcslen(pszText)+1)*sizeof(WCHAR);
if(*pdwUsedBytes + dwLen> dwMaxSize)
return 0;
memmove(*ppNextBuf, pszText , dwLen);
*pdwUsedBytes +=3D dwLen;
*ppNextBuf +=3D dwLen;
return dwOffset;
}

typedef struct _CPAU_PARAM{
DWORD	cbSize;
DWORD	dwProcessId;
BOOL	bUseDefaultToken;
HANDLE	hToken;
LPWSTR	lpApplicationName;
LPWSTR	lpCommandLine;
SECURITY_ATTRIBUTES	ProcessAttributes;
SECURITY_ATTRIBUTES ThreadAttributes;
BOOL bInheritHandles;
DWORD dwCreationFlags;
LPVOID lpEnvironment;
LPWSTR lpCurrentDirectory;
STARTUPINFOW StartupInfo;
PROCESS_INFORMATION	ProcessInformation;
}CPAU_PARAM;

typedef struct _CPAU_RET_PARAM{
DWORD	cbSize;
BOOL	bRetValue;
DWORD	dwLastErr;
PROCESS_INFORMATION	ProcInfo;
}CPAU_RET_PARAM;

BOOL CreateRemoteSessionProcessW(
IN DWORD	dwSessionId,
IN BOOL		bUseDefaultToken,
IN HANDLE	hToken,
IN LPCWSTR	lpApplicationName,
IN LPWSTR	lpCommandLine,
IN LPSECURITY_ATTRIBUTES lpProcessAttributes,
IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
IN BOOL bInheritHandles,
IN DWORD dwCreationFlags,
IN LPVOID lpEnvironment,
IN LPCWSTR lpCurrentDirectory,
IN LPSTARTUPINFOW lpStartupInfo,
OUT LPPROCESS_INFORMATION lpProcessInformation)
{
WCHAR		szWinStaPath[MAX_PATH];
BOOL		bGetNPName=3DFALSE;
WCHAR		szNamedPipeName[MAX_PATH]=3DL"";
DWORD		dwNameLen;
HINSTANCE	hInstWinSta;
HANDLE		hNamedPipe;
LPVOID		pData=3DNULL;
BOOL		bRet =3D FALSE;
DWORD		cbReadBytes,cbWriteBytes;
DWORD		dwEnvLen =3D 0;
union{
CPAU_PARAM	cpauData;
BYTE		bDump[0x2000];
};
CPAU_RET_PARAM	cpauRetData;
DWORD			dwUsedBytes =3D sizeof(cpauData);
LPBYTE			pBuffer =3D (LPBYTE)(&cpauData+1);
GetSystemDirectoryW(szWinStaPath, MAX_PATH);
lstrcatW(szWinStaPath,L"\\winsta.dll");
hInstWinSta =3D LoadLibrary(szWinStaPath);

if(hInstWinSta)
{
pWinStationQueryInformationW
pfWinStationQueryInformationW=3D(pWinStationQueryInformationW)GetProcAddress=
(hInstWinSta,
if(pfWinStationQueryInformationW)
{
bGetNPName =3D pfWinStationQueryInformationW(0, dwSessionId, 0x21,
szNamedPipeName, sizeof(szNamedPipeName), &dwNameLen);
}
FreeLibrary(hInstWinSta);
}
if(!bGetNPName || szNamedPipeName[0] =3D=3D '\0')
{
swprintf(szNamedPipeName, L"\\\\.\\Pipe\\TerminalServer\
\SystemExecSrvr\\%d", dwSessionId);
}

do{
hNamedPipe =3D CreateFile(szNamedPipeName, GENERIC_READ|GENERIC_WRITE,
0, NULL, OPEN_EXISTING, 0, 0);
if(hNamedPipe =3D=3D INVALID_HANDLE_VALUE)
{
if(GetLastError() =3D=3D ERROR_PIPE_BUSY)
{
if(!WaitNamedPipe(szNamedPipeName, 30000))
return FALSE;
}
else
{
return FALSE;
}
}
}while(hNamedPipe =3D=3D INVALID_HANDLE_VALUE);


memset(&cpauData, 0, sizeof(cpauData));
cpauData.bInheritHandles	=3D bInheritHandles;
cpauData.bUseDefaultToken	=3D bUseDefaultToken;
cpauData.dwCreationFlags	=3D dwCreationFlags;
cpauData.dwProcessId		=3D GetCurrentProcessId();
cpauData.hToken				=3D hToken;
cpauData.lpApplicationName	=3D
(LPWSTR)MarshallString(lpApplicationName, &cpauData, sizeof(bDump),
&pBuffer, &dwUsedBytes);
cpauData.lpCommandLine		=3D (LPWSTR)MarshallString(lpCommandLine,
&cpauData, sizeof(bDump), &pBuffer, &dwUsedBytes);
cpauData.StartupInfo		=3D *lpStartupInfo;
cpauData.StartupInfo.lpDesktop	=3D
(LPWSTR)MarshallString(cpauData.StartupInfo.lpDesktop, &cpauData,
sizeof(bDump), &pBuffer, &dwUsedBytes);
cpauData.StartupInfo.lpTitle	=3D
(LPWSTR)MarshallString(cpauData.StartupInfo.lpTitle, &cpauData,
sizeof(bDump), &pBuffer, &dwUsedBytes);

if(lpEnvironment)
{
if(dwCreationFlags & CREATE_UNICODE_ENVIRONMENT)
{
while((dwEnvLen+dwUsedBytes <=3D sizeof(bDump)))
{
if(((LPWSTR)lpEnvironment)[dwEnvLen/2]=3D=3D'\0' &&
((LPWSTR)lpEnvironment)[dwEnvLen/2+1] =3D=3D '\0')
{
dwEnvLen+=3D2*sizeof(WCHAR);
break;
}
dwEnvLen+=3Dsizeof(WCHAR);
}
}
else
{
while(dwEnvLen+dwUsedBytes <=3D sizeof(bDump))
{
if(((LPSTR)lpEnvironment)[dwEnvLen]=3D=3D'\0' && ((LPSTR)lpEnvironment)
[dwEnvLen+1]=3D=3D'\0')
{
dwEnvLen+=3D2;
break;
}
dwEnvLen++;
}
}
if(dwEnvLen+dwUsedBytes <=3D sizeof(bDump))
{
memmove(pBuffer, lpEnvironment, dwEnvLen);
cpauData.lpEnvironment =3D (LPVOID)dwUsedBytes;
pBuffer +=3D dwEnvLen;
dwUsedBytes +=3D dwEnvLen;
}
else
{
cpauData.lpEnvironment =3D NULL;
}
}
else
{
cpauData.lpEnvironment	=3D NULL;
}
cpauData.cbSize	 =3D dwUsedBytes;

if(WriteFile(hNamedPipe, &cpauData, cpauData.cbSize, &cbWriteBytes,
NULL) &&
ReadFile(hNamedPipe, & cpauRetData, sizeof(cpauRetData),
&cbReadBytes, NULL))
{
bRet =3D cpauRetData.bRetValue;
if(bRet)
{
*lpProcessInformation =3D cpauRetData.ProcInfo;
}
else
SetLastError(cpauRetData.dwLastErr);
}
else
bRet =3D FALSE;

CloseHandle(hNamedPipe);
return bRet;
}


On 11=D4=C22=C8=D5, =CF=C2=CE=E78=CA=B119=B7=D6, Thomas Graefenhain
n
off
s
d

30-Jul-08 06:09 AM

I have the same problem (Can not launch application in winlogon desktop when user logoff). Do you have any solutions or ideas to deal with it, and could you kind enough to share with me? Thank you