service cannot access remote share

[torstenv]

Hi!

I’m using MCH to detect the execution of code by hooking CreateProcess. My main program runs as a service and it seems like I have a problem accessing the programs that are being started on a remote share in some special cases:

On XP, my program runs as NetworkService and so everything is fine. MCH detects the execution of new code and I can gather information about that file before it can start. On NT4 and Win2k there is no “NetworkService”, thus I’m having problems accessing the program which is to be started on a remote share, because services seem to be denied any access to the local network (unless it’s a NetworkService in XP). I have tried to start a small program in userspace and let that program do the checking of the questioned program, but that method does not work if something is being started on a remote share without a user being logged in (e.g. by the taskplaner).

I know that this is not a real MCH-question, but I don’t know any resource on the web where more skilled coders are reading…

My apologizes, if this is being regarded as off-topic. In that case: Any idea where to get help?

Regards,
T.

[madshi]

I don't know how to solve it. You might have a chance to get help at the "Windows programming" forum at www.experts-exchange.com. You don't to need write that you're doing API hooking. That might stop some people from commenting, cause they might thing the problem is too complicated. Just explain what APIs fail exactly in what situation. E.g. "my service is running under XXX account in w2k and I have a process handle of a process started by the taskplaner, but I can't call the API xxx on it" or something like that.

[torstenv]

I don't know how to solve it. You might have a chance to get help at the "Windows programming" forum at www.experts-exchange.com.

I doubt that there is a "normal" solution that anyone there could point me to. I did a little more research: The account LocalService does not have access to the network. Full stop. Only NetworkService has access to the network. NetworkService is available on WinXP and above only. That's it. No chance to solve my problem. If a task is being started via Taskplanner, it may start under certain user credentials, which will allow the accessing of the network share so the process can be started, but my service won't be able to access it.

This is why I thought I'd ask here. Is there no way around this problem? I mean with MCH lots of mysterious things are possible. Maybe my ideas are too weird, but these are my thoughts:
Could it be possible to inject code into the newly created process? Because that newly created process runs under the credentials of the user that has access to the network share, some injected code could do the checks that need to be done and somehow inform my service via IPC about the results. In case I don't want the questioned code to run, my service could call TerminateProcess for that process. In case I want it to run, I could let the injected code start the real code that it injected itself into. Is that possible at all or is it too weird?

Or could I hook some system APIs that are being called during the accessing of the network share?

The goal is to pause a new process that I hooked via CreateProcess, find out details about it, decide whether to let it run or not. Easy under WinXP, yet I have not made it under NT4 and Win2k.

T.
(This problem is killing me!)

[dcsoft]

my program runs as NetworkService

Perhaps instead of writing a service, you could write a Winlogon Notification Package. Your dll will be called at various points in the logon process. I believe you can get called when the system starts, when the network is established, when the user logs in, and when the network shares are re-connected. It's been awhile since I've written one, but your code definitely has more permission than a service.

Cheers,
David
http://www.dcsoft.com

[torstenv]

Winlogon Notification Package

Not supported under NT4.

T.

[madshi]

What APIs exactly fail? What want you do in detail? If you hooked CreateProcess you should have a process handle with full access rights. So I don't understand why any process related APIs should fail.

[Runner]

If I understand correctly the problem is that your service cannot access the network. This is because it runs uder LocalSystem account. If you can then run the service under the administrator account or some other account with the appropriate privileges.

The other solutions are not so good. You probably need a service because you need it to run even when no one is logged on.

Maybe you could run your code inside another process that has network access and is running when no user is logged on. I don't know which one
though.

Oh and BTW if a service under LocalSystem account starts another application this application is also started under LocalSystem so it can't accrss the network either.

Hope this helps a little.

[dcsoft]

my program runs as NetworkService

Now I'm completely confused... your hook dll is injected into the process that calls CreateProcess(), in this case it is "taskplanner". (What is that anyway?) Therefore, the permissions your hook function has is what taskplanner has. I don't see how your main app (the NT service) has anything to do with it. Are you saying the NT service used madCodeHook to install the hook? Regardless, the permissions of the NT service seem not to matter, regarding what permissions your hook callback function has.

-- David

[torstenv]

Now I'm completely confused...

Yes, so was I. I seem to have misunderstood something... In fact the problem lies elsewhere and it seems the problem is completely different from what I wrote initially, so sorry for the fuzz....

The projects goal is to find out certain information about any application that's running. To achieve this, I must have read access to each executable that's being started. Problems seem to appear with the processes that are being started before my service actually installs the MCH-dll during bootup. All processes that have been started before the hook is in place cannot be detected. The workaround I use is to go through the list of processes as soon as my service is up and see which of them I haven't seen yet. Now one problem is, what I should do in case a process has been started from a remote share before the hook was in place. I then need to find out about that process, but I cannot, because my service does not have the rights to access the network (only NT4 and Win2k), and the hook wasn't in place when the process was started, so I couldn't catch it at that point. What I'd like best would be to make sure that any access to the network will be delayed until the hook is in place, or to make sure that my service is the first service to start, but I can't find a way to do this.

Again: I'm sorry for asking the wrong question... This time I think I'm quite close to the real problem...

T.

[madshi]

You say you need read access to the exe files. Why? What exactly are you reading? And for what purpose? Is it a once time only read access need? Or do you need to read from those exes all the time?

[torstenv]

You say you need read access to the exe files. Why? What exactly are you reading? And for what purpose? Is it a once time only read access need? Or do you need to read from those exes all the time?

I can't see why it matters what I need the read access for, but if you want to know, I'll tell you: Because it's a part of the project's goal. I need to find out lots of details about the executable like size, header and so on. The purpose is to find reliable details about every (!) process that's running. A one time read access would be sufficiant.

T.

[madshi]

I'm not asking questions without reasons.

I'd recommend reading all the exe details in the initialization of your hook dll. Each running process loads its own copy of your hook dll. Each copy of the hook dll will have enough access rights to access the excecutable file of the process its loaded in. The hook dlls can then send the gathered information back to your service.

I've asked the questions, because it all depends on how much you do with the exe. If it's very much work, I'd not recommend doing it in the hook dll, because the hook dll should try to affect its process as little as possible. But if it's not too much work the hook dll should do it. Then you have no access problems.

[torstenv]

I'm not asking questions without reasons.

I know, and I really appreciate your effort! Honestly!

I'd recommend reading all the exe details in the initialization of your hook dll.

OK, thanks a lot. That’s a good advice and I’ll see what I can do.

I've asked the questions, because (…)

Yes, thanks. That’s what my comment was aiming at. To know why you asked. But I didn’t dare to answer “Why are you asking?”

Best regards,
T.

[Runner]

By the way, if it helps you can define the order in which the services start.
That way your service can start first. If you still want to know how to do it let me know and I can look up for the information (I have it on my
computer, just have to find it).

[torstenv]

By the way, if it helps you can define the order in which the services start.
That way your service can start first. If you still want to know how to do it let me know and I can look up for the information (I have it on my
computer, just have to find it).

Yes, that would be nice! Thanks in advance!

T.