Win7中如何在服务中启动一个当前用户的进程——函数CreateProcessAsUser()的一次使用记录

　　这次工作中遇到要从服务中启动一个具有桌面UI交互的应用，这在winXP/2003中只是一个简单创建进程的问题。但在Vista 和 win7中增加了session隔离，这一操作系统的安全举措使得该任务变得复杂了一些。

一、Vista和win7的session隔离

　　一个用户会有一个独立的session。在Vista 和 win7中session 0被单独出来专门给服务程序用，用户则使用session 1、session 2...

　　这样在服务中通过CreateProcess()创建的进程启动UI应用用户是无法看到的。它的用户是SYSTEM。所以用户无法与之交互，达不到需要的目的。

　　关于更多session 0的信息请点击这里查看微软介绍。

二、实现代码

　　首先贴出自己的实现代码，使用的是C#：

using System;
using System.Security;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace Handler
{
    /// <summary>
    /// Class that allows running applications with full admin rights. In
    /// addition the application launched will bypass the Vista UAC prompt.
    /// </summary>
    public class ApplicationLoader
    {
        #region Structures

        [StructLayout(LayoutKind.Sequential)]
        public struct SECURITY_ATTRIBUTES
        {
            public int Length;
            public IntPtr lpSecurityDescriptor;
            public bool bInheritHandle;
        }

        [StructLayout(LayoutKind.Sequential)]
        public struct STARTUPINFO
        {
            public int cb;
            public String lpReserved;
            public String lpDesktop;
            public String lpTitle;
            public uint dwX;
            public uint dwY;
            public uint dwXSize;
            public uint dwYSize;
            public uint dwXCountChars;
            public uint dwYCountChars;
            public uint dwFillAttribute;
            public uint dwFlags;
            public short wShowWindow;
            public short cbReserved2;
            public IntPtr lpReserved2;
            public IntPtr hStdInput;
            public IntPtr hStdOutput;
            public IntPtr hStdError;
        }

        [StructLayout(LayoutKind.Sequential)]
        public struct PROCESS_INFORMATION
        {
            public IntPtr hProcess;
            public IntPtr hThread;
            public uint dwProcessId;
            public uint dwThreadId;
        }

        #endregion

        #region Enumerations

        enum TOKEN_TYPE : int
        {
            TokenPrimary = 1,
            TokenImpersonation = 2
        }

        enum SECURITY_IMPERSONATION_LEVEL : int
        {
            SecurityAnonymous = 0,
            SecurityIdentification = 1,
            SecurityImpersonation = 2,
            SecurityDelegation = 3,
        }

        #endregion

        #region Constants

        //public const int TOKEN_DUPLICATE = 0x0002;
        public const uint MAXIMUM_ALLOWED = 0x2000000;
        public const int CREATE_NEW_CONSOLE = 0x00000010;
        public const int CREATE_UNICODE_ENVIRONMENT = 0x00000400;

        public const int NORMAL_PRIORITY_CLASS = 0x20;
        //public const int IDLE_PRIORITY_CLASS = 0x40;        
        //public const int HIGH_PRIORITY_CLASS = 0x80;
        //public const int REALTIME_PRIORITY_CLASS = 0x100;

        #endregion

        #region Win32 API Imports  

        [DllImport("Userenv.dll", EntryPoint = "DestroyEnvironmentBlock", 
                                    SetLastError = true)]
        private static extern bool DestroyEnvironmentBlock(IntPtr lpEnvironment);

        [DllImport("Userenv.dll", EntryPoint = "CreateEnvironmentBlock", 
                                    SetLastError = true)]
        private static extern bool CreateEnvironmentBlock(ref IntPtr lpEnvironment, 
                                                    IntPtr hToken, bool bInherit);

        [DllImport("kernel32.dll", EntryPoint = "CloseHandle", SetLastError = true)]
        private static extern bool CloseHandle(IntPtr hSnapshot);

        [DllImport("kernel32.dll", EntryPoint = "WTSGetActiveConsoleSessionId")]
        static extern uint WTSGetActiveConsoleSessionId();

        [DllImport("Kernel32.dll", EntryPoint = "GetLastError")]
        private static extern uint GetLastError();

        [DllImport("Wtsapi32.dll", EntryPoint = "WTSQueryUserToken", SetLastError = true)]
        private static extern bool WTSQueryUserToken(uint SessionId, ref IntPtr hToken);

        [DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true,
                                    CharSet = CharSet.Unicode, 
                                    CallingConvention = CallingConvention.StdCall)]
        public extern static bool CreateProcessAsUser(IntPtr hToken, 
                                                      String lpApplicationName,
                                                      String lpCommandLine, 
                                                      ref SECURITY_ATTRIBUTES lpProcessAttributes,
                                                      ref SECURITY_ATTRIBUTES lpThreadAttributes, 
                                                      bool bInheritHandle, 
                                                      int dwCreationFlags, 
                                                      IntPtr lpEnvironment, 
                                                      String lpCurrentDirectory,
                                                      ref STARTUPINFO lpStartupInfo,
                                                      out PROCESS_INFORMATION lpProcessInformation);

        [DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
        public extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess,
            ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType,
            int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
        
        #endregion

        /// <summary>
        /// Launches the given application with full admin rights, and in addition bypasses the Vista UAC prompt
        /// </summary>
        /// <param name="commandLine">A command Line to launch the application</param>
        /// <param name="procInfo">Process information regarding the launched application that gets returned to the caller</param>
        /// <returns></returns>
        public static bool StartProcessAndBypassUAC(String commandLine, out PROCESS_INFORMATION procInfo)
        {
            IntPtr hUserTokenDup = IntPtr.Zero, hPToken = IntPtr.Zero, hProcess = IntPtr.Zero;            
            procInfo = new PROCESS_INFORMATION();

            // obtain the currently active session id; every logged on user in the system has a unique session id
            uint dwSessionId = WTSGetActiveConsoleSessionId();

            if (!WTSQueryUserToken(dwSessionId, ref hPToken))
            {
                return false;
            }

            SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
            sa.Length = Marshal.SizeOf(sa);

            // copy the access token of the dwSessionId's User; the newly created token will be a primary token
            if (!DuplicateTokenEx(hPToken, MAXIMUM_ALLOWED, ref sa, (int)SECURITY_IMPERSONATION_LEVEL.SecurityIdentification,
                (int)TOKEN_TYPE.TokenPrimary, ref hUserTokenDup))
            {
                CloseHandle(hPToken);
                return false;
            }

            IntPtr EnvironmentFromUser = IntPtr.Zero;
            if (!CreateEnvironmentBlock(ref EnvironmentFromUser, hUserTokenDup, false))
            {
                CloseHandle(hPToken);
                CloseHandle(hUserTokenDup);
                return false;
            }
           
            // By default CreateProcessAsUser creates a process on a non-interactive window station, meaning
            // the window station has a desktop that is invisible and the process is incapable of receiving
            // user input. To remedy this we set the lpDesktop parameter to indicate we want to enable user 
            // interaction with the new process.
            STARTUPINFO si = new STARTUPINFO();
            si.cb = (int)Marshal.SizeOf(si);
            si.lpDesktop = @"winsta0default";
 
            // flags that specify the priority and creation method of the process
            int dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT;

            // create a new process in the current user's logon session
            bool result = CreateProcessAsUser(hUserTokenDup,        // client's access token
                                            null,                   // file to execute
                                            commandLine,            // command line
                                            ref sa,                 // pointer to process SECURITY_ATTRIBUTES
                                            ref sa,                 // pointer to thread SECURITY_ATTRIBUTES
                                            false,                  // handles are not inheritable
                                            dwCreationFlags,        // creation flags
                                            EnvironmentFromUser,    // pointer to new environment block 
                                            null,                   // name of current directory 
                                            ref si,                 // pointer to STARTUPINFO structure
                                            out procInfo            // receives information about new process
                                            );
           
            // invalidate the handles
            CloseHandle(hPToken);
            CloseHandle(hUserTokenDup);
            DestroyEnvironmentBlock(EnvironmentFromUser);

            return result; // return the result
        }
    }
}

三、几个遇到的问题

　　1.环境变量

　　起初用CreateProcessAsUser()时并没有考虑环境变量，虽然要的引用在桌面起来了，任务管理器中也看到它是以当前用户的身份运行的。进行一些简单的操作也没有什么问题。但其中有一项操作发生了问题，打开一个该程序要的特定文件，弹出如下一些错误：

　　Failed to write: %HOMEDRIVE%%HOMEPATH%...

　　Location is not avaliable: ... 

　　通过Browser打开文件夹命名看看到文件去打不开！由于该应用是第三方的所以不知道它要做些什么。但是通过Failed to write: %HOMEDRIVE%%HOMEPATH%...这个错误信息显示它要访问一个user目录下的文件。在桌面用cmd查看该环境变量的值为：

　　HOMEDRIVE=C:

　　HOMEPATH=usersAlvin

　　的确是要访问user目录下的文件。然后我编写了一个小程序让CreateProcessAsUser()来以当前用户启动打印环境变量，结果其中没有这两个环境变量，及值为空。那么必然访问不到了，出这些错误也是能理解的了。其实CreateProcessAsUser()的环境变量参数为null的时候，会继承父进程的环境变量，即为SYSTEM的环境变量。在MSDN中有说：

　　

使用CreateEnvironmentBlock()函数可以得到指定用户的环境变量，不过还是略有差别——没有一下两项：

　　PROMPT=$P$G

　　SESSIONNAME=Console

这个原因我就不清楚了，求告知。

　　值得注意的是，产生的环境变量是Unicode的字符时dwCreationFlags 要有CREATE_UNICODE_ENVIRONMENT标识才行，在MSDN中有解释到：

　　An environment block can contain either Unicode or ANSI characters. If the environment block pointed to by lpEnvironment contains Unicode characters, be sure thatdwCreationFlags includes CREATE_UNICODE_ENVIRONMENT. If this parameter is NULL and the environment block of the parent process contains Unicode characters, you must also ensure that dwCreationFlags includes CREATE_UNICODE_ENVIRONMENT.

　　C#中字符char、string都是Unicode字符。而且这里的CreateEnvironmentBlock()函数在MSDN中有说到，是Unicode的：

　　lpEnvironment [in, optional]

　　A pointer to an environment block for the new process. If this parameter is NULL, the new process uses the environment of the calling process.

　　2.一个比较奇怪的问题

　　按以上分析后我加入了环境变量，并添加了CREATE_UNICODE_ENVIRONMENT标识。但是我觉得这是不是也应该把CreateProcessAsUser()的DllImport中的CharSet = CharSet.Ansi改为CharSet = CharSet.Unicode。这似乎合情合理，但是改完之后进程就起不来，且没有错误。一旦改回去就完美运行，并且没有环境变量的问题。想了半天也没有搞明白是为什么，最后问了一个前辈，他要我注意下CreateProcessAsUser()的第三个参数的声明，然后我一琢磨才知道问题的真正原因，大家先看CreateProcessAsUser()的函数声明：

　　

　　注意第二、三个参数的区别，并查看我写的代码。我用的是第三个参数，第二个我赋null。LPCTSTR是一个支持自动选择字符编码[Ansi或Unicode]　　的常量字符串指针；LPTSTR与之的差别是不是常量。它为什么有这样的差别呢，看MSDN的解释：

　　The system adds a null character to the command line string to separate the file name from the arguments. This divides the original string into two strings for internal processing.

　　在第二个参数为空时，可以用第三个参数完成AppName和CmdLineArg的功能，方法是添加一个null进行分割。那么这为什么能导致函数不起作用呢？原因是C#中string类型是只读的，在我这里给它的赋值是string类型。它不能完成分割的动作，所以会造成访问违例。这其实在MSDN中都有相关的描述：

　　The Unicode version of this function, CreateProcessAsUserW, can modify the contents of this string. Therefore, this parameter cannot be a pointer to read-only memory (such as a const variable or a literal string). If this parameter is a constant string, the function may cause an access violation.

　　那么为什么用CharSet = CharSet.Ansi可以呢？LPTSTR支持两种字符格式，它会自动将Unicode的字符串转变为Ansi的字符串，即产生另外一个Ansi的字符串，该字符串是复制来的当然可以修改了！！哈哈！

　　这里可以看出认认真真看好MSDN的解释是很有帮助的。顺便说下这第三个参数分割办法，以及我们要注意自己的路径。来看MSDN的说明：　　

　　The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:program filessub dirprogram name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order: 

c:program.exe filessub dirprogram name

c:program filessub.exe dirprogram name

c:program filessub dirprogram.exe name

c:program filessub dirprogram name.exe

　　关于CreateProcessAsUser()详细信息请查看http://msdn.microsoft.com/en-us/library/ms682429.aspx

　　关于CreateEnvironmentBlock()请查看http://msdn.microsoft.com/en-us/library/bb762270(VS.85).aspx