System User on windows

NTDEV
1

Hi,
My application runs as a service using Local System account. But it has
to enumerate all the products on the system using MSI API. This MSI API
lists all the products of a particular user. So If I want to list all the
products on the system how can I enumerate them with in the service ?
Basically can the application change the user while it is running and be
able to list all the user’s products ? Is there any other way to list all
the products on the machine other than this ?
Any documentation or any other solution is greatly appreciated.

Thanks in Advance,
Nagesh Bhattu

2

Hi,

Impersonation of the user’s access token would resolve your problem.
Impersonation is the ability of a thread to execute in a security context
that is different from the context of the process that owns the thread.
Basically you need to impersonate as the required user from your service and
then use the MSI API to list all the products of that user. MSDN provides
lot of information on impersonation.

Rgds,
Sharoon

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
Sent: Thursday, November 28, 2002 5:39 PM
To: NT Developers Interest List
Subject: [ntdev] System User on windows

Hi,
My application runs as a service using Local System account. But it has
to enumerate all the products on the system using MSI API. This MSI API
lists all the products of a particular user. So If I want to list all the
products on the system how can I enumerate them with in the service ?
Basically can the application change the user while it is running and be
able to list all the user’s products ? Is there any other way to list all
the products on the machine other than this ?
Any documentation or any other solution is greatly appreciated.

Thanks in Advance,
Nagesh Bhattu

You are currently subscribed to ntdev as: xxxxx@wipro.com
To unsubscribe send a blank email to %%email.unsub%%

3

Hi Sharoon,
Thanks alot for the information given. But I still need the information
on how to enumerate all the users on the host and then I should impersonate
as each user to get the products installed for all the users. How can I do
this. Is there any sample application which does this ?

Thanks,
Nagesh Bhattu

“Sharoon Shetty K” wrote in message
news:xxxxx@ntdev…
>
> Hi,
>
> Impersonation of the user’s access token would resolve your problem.
> Impersonation is the ability of a thread to execute in a security context
> that is different from the context of the process that owns the thread.
> Basically you need to impersonate as the required user from your service
and
> then use the MSI API to list all the products of that user. MSDN provides
> lot of information on impersonation.
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> Sent: Thursday, November 28, 2002 5:39 PM
> To: NT Developers Interest List
> Subject: [ntdev] System User on windows
>
> Hi,
> My application runs as a service using Local System account. But it
has
> to enumerate all the products on the system using MSI API. This MSI API
> lists all the products of a particular user. So If I want to list all the
> products on the system how can I enumerate them with in the service ?
> Basically can the application change the user while it is running and be
> able to list all the user’s products ? Is there any other way to list all
> the products on the machine other than this ?
> Any documentation or any other solution is greatly appreciated.
>
> Thanks in Advance,
> Nagesh Bhattu
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>

4

Hi Nagesh,

I think this can be done using Active Directory Service Interfaces. Check
out the link below for some information on this. Hope this is helpful!

http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=4734

Rgds,
Sharoon

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
Sent: Friday, November 29, 2002 3:58 PM
To: NT Developers Interest List
Subject: [ntdev] Re: System User on windows

Hi Sharoon,
Thanks alot for the information given. But I still need the information
on how to enumerate all the users on the host and then I should impersonate
as each user to get the products installed for all the users. How can I do
this. Is there any sample application which does this ?

Thanks,
Nagesh Bhattu

“Sharoon Shetty K” wrote in message
news:xxxxx@ntdev…
>
> Hi,
>
> Impersonation of the user’s access token would resolve your problem.
> Impersonation is the ability of a thread to execute in a security context
> that is different from the context of the process that owns the thread.
> Basically you need to impersonate as the required user from your service
and
> then use the MSI API to list all the products of that user. MSDN provides
> lot of information on impersonation.
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> Sent: Thursday, November 28, 2002 5:39 PM
> To: NT Developers Interest List
> Subject: [ntdev] System User on windows
>
> Hi,
> My application runs as a service using Local System account. But it
has
> to enumerate all the products on the system using MSI API. This MSI API
> lists all the products of a particular user. So If I want to list all the
> products on the system how can I enumerate them with in the service ?
> Basically can the application change the user while it is running and be
> able to list all the user’s products ? Is there any other way to list all
> the products on the machine other than this ?
> Any documentation or any other solution is greatly appreciated.
>
> Thanks in Advance,
> Nagesh Bhattu
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>


You are currently subscribed to ntdev as: xxxxx@wipro.com
To unsubscribe send a blank email to %%email.unsub%%

5

Hi Nagesh,

You can possibly try the NetUserEnum() API.
NET_API_STATUS NetUserEnum(
LPCWSTR servername,
DWORD level,
DWORD filter,
LPBYTE *bufptr,
DWORD prefmaxlen,
LPDWORD entriesread,
LPDWORD totalentries,
LPDWORD resume_handle
);
This function provides information about all user accounts on a server. The
parameter servername is a pointer to a constant Unicode string specifying
the name of the remote server on which the function is to execute. The
string must begin with \. If this parameter is NULL, the local computer is
used.

MSDN has more information on this.

Rgds,
Sharoon

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sharoon Shetty K
Sent: Friday, November 29, 2002 5:43 PM
To: NT Developers Interest List
Subject: [ntdev] Re: System User on windows

Hi Nagesh,

I think this can be done using Active Directory Service Interfaces. Check
out the link below for some information on this. Hope this is helpful!

http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=4734

Rgds,
Sharoon

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
Sent: Friday, November 29, 2002 3:58 PM
To: NT Developers Interest List
Subject: [ntdev] Re: System User on windows

Hi Sharoon,
Thanks alot for the information given. But I still need the information
on how to enumerate all the users on the host and then I should impersonate
as each user to get the products installed for all the users. How can I do
this. Is there any sample application which does this ?

Thanks,
Nagesh Bhattu

“Sharoon Shetty K” wrote in message
news:xxxxx@ntdev…
>
> Hi,
>
> Impersonation of the user’s access token would resolve your problem.
> Impersonation is the ability of a thread to execute in a security context
> that is different from the context of the process that owns the thread.
> Basically you need to impersonate as the required user from your service
and
> then use the MSI API to list all the products of that user. MSDN provides
> lot of information on impersonation.
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> Sent: Thursday, November 28, 2002 5:39 PM
> To: NT Developers Interest List
> Subject: [ntdev] System User on windows
>
> Hi,
> My application runs as a service using Local System account. But it
has
> to enumerate all the products on the system using MSI API. This MSI API
> lists all the products of a particular user. So If I want to list all the
> products on the system how can I enumerate them with in the service ?
> Basically can the application change the user while it is running and be
> able to list all the user’s products ? Is there any other way to list all
> the products on the machine other than this ?
> Any documentation or any other solution is greatly appreciated.
>
> Thanks in Advance,
> Nagesh Bhattu
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>


You are currently subscribed to ntdev as: xxxxx@wipro.com
To unsubscribe send a blank email to %%email.unsub%%


You are currently subscribed to ntdev as: xxxxx@wipro.com
To unsubscribe send a blank email to %%email.unsub%%

6

Thank You for the information provided.
But I can not run a process with a given user’s authentication, since none
of these functions give me the password for a user. Running as a given user
requires the password of the user. (I used CreateProcessWithLogonW()
function to create a process as a user which requires the password of a
user). Is there any other way to make the system process to behave as all
the users on the host ? On unix a super user can take hold of any user and
behave as any user. Is there a similar thing on windows. ?
Impersonation is primarily meant for client - server applications. But
my application should simulate all the users on the system and there won’t
be any client providing a given user’s authentication.

Thanks in advance for any more help,
Nagesh Bhattu
“Sharoon Shetty K” wrote in message
news:xxxxx@ntdev…
>
> Hi Nagesh,
>
> You can possibly try the NetUserEnum() API.
> NET_API_STATUS NetUserEnum(
> LPCWSTR servername,
> DWORD level,
> DWORD filter,
> LPBYTE *bufptr,
> DWORD prefmaxlen,
> LPDWORD entriesread,
> LPDWORD totalentries,
> LPDWORD resume_handle
> );
> This function provides information about all user accounts on a server.
The
> parameter servername is a pointer to a constant Unicode string specifying
> the name of the remote server on which the function is to execute. The
> string must begin with \. If this parameter is NULL, the local computer
is
> used.
>
> MSDN has more information on this.
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Sharoon Shetty K
> Sent: Friday, November 29, 2002 5:43 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System User on windows
>
> Hi Nagesh,
>
> I think this can be done using Active Directory Service Interfaces. Check
> out the link below for some information on this. Hope this is helpful!
>
> http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=4734
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> Sent: Friday, November 29, 2002 3:58 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System User on windows
>
> Hi Sharoon,
> Thanks alot for the information given. But I still need the
information
> on how to enumerate all the users on the host and then I should
impersonate
> as each user to get the products installed for all the users. How can I do
> this. Is there any sample application which does this ?
>
> Thanks,
> Nagesh Bhattu
>
> “Sharoon Shetty K” wrote in message
> news:xxxxx@ntdev…
> >
> > Hi,
> >
> > Impersonation of the user’s access token would resolve your problem.
> > Impersonation is the ability of a thread to execute in a security
context
> > that is different from the context of the process that owns the thread.
> > Basically you need to impersonate as the required user from your service
> and
> > then use the MSI API to list all the products of that user. MSDN
provides
> > lot of information on impersonation.
> >
> > Rgds,
> > Sharoon
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> > Sent: Thursday, November 28, 2002 5:39 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] System User on windows
> >
> > Hi,
> > My application runs as a service using Local System account. But it
> has
> > to enumerate all the products on the system using MSI API. This MSI API
> > lists all the products of a particular user. So If I want to list all
the
> > products on the system how can I enumerate them with in the service ?
> > Basically can the application change the user while it is running and be
> > able to list all the user’s products ? Is there any other way to list
all
> > the products on the machine other than this ?
> > Any documentation or any other solution is greatly appreciated.
> >
> > Thanks in Advance,
> > Nagesh Bhattu
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@wipro.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>

7

You have two choices:

  1. call LsaLogonUser, passing the user’s SID and the SID’s of all his
    groups as ‘additional groups’.

  2. Implement a login provider, a big project.

It’s not so easy to get a complete group list when you are running as
LocalSystem. You can get the local groups from NetUser…, but the AD
may deny access when you try to point those APIs at an AD server.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nagesh Bhattu
Sent: Sunday, December 01, 2002 10:50 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System User on windows

Thank You for the information provided.
But I can not run a process with a given user’s authentication, since
none of these functions give me the password for a user. Running as a
given user requires the password of the user. (I used
CreateProcessWithLogonW() function to create a process as a user which
requires the password of a user). Is there any other way to make the
system process to behave as all the users on the host ? On unix a super
user can take hold of any user and behave as any user. Is there a
similar thing on windows. ?
Impersonation is primarily meant for client - server applications.
But my application should simulate all the users on the system and there
won’t be any client providing a given user’s authentication.

Thanks in advance for any more help,
Nagesh Bhattu
“Sharoon Shetty K” wrote in message
news:xxxxx@ntdev…
>
> Hi Nagesh,
>
> You can possibly try the NetUserEnum() API.
> NET_API_STATUS NetUserEnum(
> LPCWSTR servername,
> DWORD level,
> DWORD filter,
> LPBYTE *bufptr,
> DWORD prefmaxlen,
> LPDWORD entriesread,
> LPDWORD totalentries,
> LPDWORD resume_handle
> );
> This function provides information about all user accounts on a
> server.
The
> parameter servername is a pointer to a constant Unicode string
> specifying the name of the remote server on which the function is to
> execute. The string must begin with \. If this parameter is NULL, the

> local computer
is
> used.
>
> MSDN has more information on this.
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Sharoon Shetty K
> Sent: Friday, November 29, 2002 5:43 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System User on windows
>
> Hi Nagesh,
>
> I think this can be done using Active Directory Service Interfaces.
> Check out the link below for some information on this. Hope this is
> helpful!
>
> http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=4734
>
> Rgds,
> Sharoon
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> Sent: Friday, November 29, 2002 3:58 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: System User on windows
>
> Hi Sharoon,
> Thanks alot for the information given. But I still need the
information
> on how to enumerate all the users on the host and then I should
impersonate
> as each user to get the products installed for all the users. How can
> I do this. Is there any sample application which does this ?
>
> Thanks,
> Nagesh Bhattu
>
> “Sharoon Shetty K” wrote in message
> news:xxxxx@ntdev…
> >
> > Hi,
> >
> > Impersonation of the user’s access token would resolve your problem.

> > Impersonation is the ability of a thread to execute in a security
context
> > that is different from the context of the process that owns the
> > thread. Basically you need to impersonate as the required user from
> > your service
> and
> > then use the MSI API to list all the products of that user. MSDN
provides
> > lot of information on impersonation.
> >
> > Rgds,
> > Sharoon
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Nagesh Bhattu
> > Sent: Thursday, November 28, 2002 5:39 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] System User on windows
> >
> > Hi,
> > My application runs as a service using Local System account. But

> > it
> has
> > to enumerate all the products on the system using MSI API. This MSI
> > API lists all the products of a particular user. So If I want to
> > list all
the
> > products on the system how can I enumerate them with in the service
> > ? Basically can the application change the user while it is running
> > and be able to list all the user’s products ? Is there any other way

> > to list
all
> > the products on the machine other than this ?
> > Any documentation or any other solution is greatly appreciated.
> >
> > Thanks in Advance,
> > Nagesh Bhattu
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@wipro.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com To
> unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@wipro.com To
> unsubscribe send a blank email to %%email.unsub%%
>
>
>
>


You are currently subscribed to ntdev as: xxxxx@dchbk.us
To unsubscribe send a blank email to %%email.unsub%%

8

Oh, I forgot to mention: you have to create a dummy user with a password
that your code knows to use as the base user and password to
LsaLogonUser.

9

> the users on the host ? On unix a super user can take hold of any
user and

behave as any user. Is there a similar thing on windows. ?

No, since NT is better designed security-wise then UNIX. UNIX is just
plain too old.

Max