hi,
i want to write a service which creates another process by calling createprocess.
how have i to change the SECURITY_ATTRIBUTES tag so that a user cannot terminate the child process?
i tried the following:
PSID pUserSid;
SID_IDENTIFIER_AUTHORITY IdAuthority = SECURITY_NT_AUTHORITY;
ACL *pAcl;
DWORD dwAclSize;
if (!AllocateAndInitializeSid(&IdAuthority, 1,
SECURITY_INTERACTIVE_RID,
0, 0, 0, 0, 0, 0, 0,
&pUserSid))
dwAclSize = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE)
- GetLengthSid(pUserSid) - sizeof(DWORD) ;
pAcl = (PACL)HeapAlloc(GetProcessHeap(), 0, dwAclSize);
InitializeAcl(pAcl, dwAclSize, ACL_REVISION);
AddAccessDeniedAce(pAcl, ACL_REVISION,
PROCESS_ALL_ACCESS, pUserSid);
// Now use the acl
// …
SECURITY_DESCRIPTOR sd;
SECURITY_ATTRIBUTES sa;
InitializeSecurityDescriptor( &sd, SECURITY_DESCRIPTOR_REVISION );
SetSecurityDescriptorDacl( &sd, TRUE, pAcl, FALSE );
sa.nLength = sizeof( sa ) ;
sa.bInheritHandle = FALSE ;
sa.lpSecurityDescriptor = &sd ;
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
PROCESS_INFORMATION pi;
CreateProcess(“c:\Programme\winamp\winamp.exe”,
NULL, &sa,
NULL, false, CREATE_NEW_CONSOLE, NULL, NULL,
&si, &pi);
//When finished
HeapFree(GetProcessHeap(), 0, pAcl);
FreeSid(pUserSid);
but then, the service crashes. i have comment
//InitializeSecurityDescriptor( &sd, SECURITY_DESCRIPTOR_REVISION );
and then, it didnt crash and winamp (for testing purposes) started, but it could be terminated. what have i made wrong?
regards,
thomas