WTSSendMessage fail with error Access Denied

Discussion in 'Windows Vista Security' started by kalpesh, Jun 22, 2007.

  1. kalpesh

    kalpesh Guest

    i describe my Issue that i am developing virtual printer driver DLL
    which is run by
    spooler service of operation system, means my driver is run under
    spooler service.

    Now i need to show one MessageBox from my this DLL in Window vista
    but
    vista not support any user interface from service thats why i use
    this
    WTSSendMessage function but this function give me error "ACCESS
    DENIED"...


    //Code i used


    #define WTS_CURRENT_SERVER ((HANDLE)NULL)
    #define WTS_CURRENT_SERVER_HANDLE ((HANDLE)NULL)
    #define WTS_CURRENT_SERVER_NAME (NULL)


    #define WTS_CURRENT_SESSION ((DWORD)-1)


    //defination of WTSSendmessage Function pointer
    typedef BOOL (*funPtr) ( HANDLE,
    DWORD,
    LPWSTR,
    DWORD, LPWSTR, DWORD, DWORD, DWORD, DWORD*,
    BOOL);


    funPtr callFun;
    HMODULE hModule = LoadLibrary(L"Wtsapi32.dll");
    if(hModule)
    {
    callFun = (funPtr) GetProcAddress(hModule, "WTSSendMessageW");
    if(callFun) {
    DWORD result;
    BOOL ret =
    callFun( WTS_CURRENT_SERVER_HANDLE,


    WTS_CURRENT_SESSION,


    (LPWSTR)L"Thunder Driver",
    38,
    MB_OK,
    FALSE,
    &result,
    0);


    if(!ret) {
    Print_Error();
    }


    }//end getproc
    }//end loadlibrary


    function return with "Error : Access Denied";;
    WTSSendmesage function fail
    and return with error "ACCESS DENIED".


    This function failed is happening on Window vista only,
    One more thing is this same code is running successfully On Window XP
    means i think that
    there is some problem arise due to Vista securtiy...


    So please help me ....
    Thanks in Advance....
     
    kalpesh, Jun 22, 2007
    #1
    1. Advertisements

  2. kalpesh

    kalpesh Guest

    I found some more help on this topic that every service having some
    terminal service Permissions

    like..
    <<< Terminal Services Permissions >>
    -- Query sessions and servers for information.
    -- Configure connection properties
    -- View or actively control another user's session
    -- Log on to a session on the server.
    -- Log off a user from a session. Be aware that logging off a user
    without warning can result in loss of data at the client.
    -- Send a message to another user's sessions
    -- Connect to another session.
    -- Disconnect a session.
    -- Use virtual channels. Be aware that turning off virtual channels
    disables some Terminal Services features such as clipboard and printer
    redirection.
    -- End a session. Be aware that ending a session without warning can
    result in loss of data at the client.

    for more help Link--> http://msdn2.microsoft.com/En-US/library/aa383488.aspx

    Now each service is run under specific Access Accout this are:::
    1) Full Access
    2) User Access
    3) Guest Access

    Full Access have full permission, do all terminal service task while
    user access have some and guest have only one which
    is
    Guest access allows users to:
    ยท Log on to a session on the server.

    More Info visit Link::
    http://207.46.196.114/windowsserver...b228-4a0c-9a9f-ef6219afbd5f1033.mspx?mfr=true
    http://207.46.196.114/windowsserver...743b-4a35-9b94-9ec7cdb9aa381033.mspx?mfr=true
    http://207.46.196.114/windowsserver...9290-46fa-9541-68122a0474861033.mspx?mfr=true
    run with guest access because it give access denied error for
    WTSSendMessage function and also for OpenProcessToken function..

    so tell me after read this message and study from the link which i
    given..

    After all what is the solution for My problem to show one message box
    from service (My virtual printer driver DLL)..

    Help me...
    Thanks in Advance..
     
    kalpesh, Jun 22, 2007
    #2
    1. Advertisements

  3. kalpesh

    Alun Jones Guest

    Services all run in session 0. That's a starting point.
    "Current Session" is one of those items that sticks out like a sore thumb on
    Vista. Keep reading...
    Between Windows XP and Windows Vista, a few things changed.

    First, Windows XP already had the feature that several users could be logged
    in to multiple sessions, so your driver would wind up sending its message to
    the "console" session, which might not be the currently active session. Your
    driver needs to take account of the possibility that multiple users may be
    logged in at multiple sessions, or it will fail to notify active users on
    Windows XP or Server 2003.

    Worse, on Windows Vista, the user _never_ gets to log on in session 0,
    because it's a security risk to have users and services running in the same
    logon session.

    You will need to investigate WTSEnumerateSessions to get a list of all the
    sessions, and send your message to all of them that are in the WTSActive
    state.

    I notice you're also passing "FALSE" for the parameter documented as "DWORD
    Timeout", and "0" for the parameter documented as "BOOL bWait". I think you
    have these reversed - while the effect is to pass a value of 0 to each, it's
    confusing.

    Finally, since you can't really tell if anyone's paying attention to your
    dialog here, I would suggest setting bWait to FALSE, and Timeout to some
    value after which the dialog will disappear from the sessions that aren't
    actually being watched by a user right now. Setting a timeout of 0 is just
    asking for trouble, as your dialogs back up on an inactive desktop, taking
    up space that will never be returned because the user isn't there - and then
    when the user returns, they have to do what, click OK like a million times?
    Stop abusing your users just because you don't want to spend a few seconds
    to think about good timeout values.

    Alun.
    ~~~~
     
    Alun Jones, Jun 27, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.