Run App as User on RDS2012 without Credentials

Question

0.00/5 (No votes)

See more:

Afternoon All,

Hoping you can shed some light here, i have an application that runs on an RDS 2012 RD Session host, it loops through the the process list from Win32_Process and compiles a list of who is running a specific instance of an process.

Now, what i want to be able to achieve is to run the application as that user if it is not running, it is a requirement for all users to have this running at all times and if they manage to close it for what ever reason i need the app to be able to restart it.

I thought about impersonation, but usually you need the username and password, is there a way of starting the application under the user that is missing the process without needing their username/password?

Would appreciate any guidance here.

Regards
Dev

Posted 12-Jun-15 4:37am

Dev O'Connor

Updated 12-Jun-15 4:41am

v2

Add a Solution

Comments

Andy Lanng 12-Jun-15 10:52am

Have you looked into running this app as a service? You have not told us what language or event platform this will run in, but services can be started automatically on logon, with the logged on credentials, and can restart itself if it is stopped for any reason. You can even make it so it can't be stopped.
Another advantage is that it won't be visible to user unless they look at running services.

Andy Lanng 12-Jun-15 10:54am

Oh, you want to know the user who is logged on via rds? Trickier but doable. The service just has to look for remote connections and start logging at that stage, instead of running as the logged on user

Dev O'Connor 12-Jun-15 10:58am

Hi, Thanks for coming back to me, as there will be approx 50/60 users on this i dont want 50/60 users running the same EXE at the same time.

I am struggling to find the WMI tables etc required to get this information. If i can get the session id of the users then i can use WTSQueryUserToken or something a long this line but just cant seem to enumerate the users

would appreciate any pointers for WMI table?

Andy Lanng 12-Jun-15 11:06am

What language?
C# = ManagementObjectSearcher query= new ManagementObjectSearcher("SELECT * FROM Win32_UserProfile WHERE Loaded = True");

Dev O'Connor 15-Jun-15 3:41am

Hi,

Thanks for the infor thats great, it was VBNET but no problem, i already have the code its the select statement i was struggling with.

Based on the Reply from Dave Krekowiak below, would the application be inhibited from interacting from the desktop (i dont need the user to interact with the application)

Andy Lanng 15-Jun-15 4:03am

you don't need to interact with the desktops, you only need to see who's logged in. If you need to see what they are running then again, you don't need to interact with their desktop. All process information, and who is running the process is available, even how long a session has been idle. Almost all of this can be found using the technique I mentioned above.

Dev O'Connor 15-Jun-15 4:25am

Hi,

the windows service will not need to interact, but it will call an application (if not running) as the user, taht will interact with the users desktop such as GetForeGroundWindow() and it also interfaces with a VT420 session for searching for specific parameters / terms / window positions forming a part of PCI compliance.

Processes are fine and can be monitored but the called EXE will need to be able to interact with the desktop which i assume wouldnt be a problem?

Andy Lanng 15-Jun-15 4:39am

I see. Ok - Check out my solution

Dev O'Connor 15-Jun-15 4:55am

Hi,

The idea is that the service will call another EXE under the users context, the service exe will only monitor that the processing EXE is running as that user, if not, start it as that user. GPO block access to cmd prompt and task manager and other monitoring applications so the users cannot terminate the task, its merely if it doesnt auto start or crashes that causes the problem but i dont want 50/60 instances of the monitoring application running when RDS is at full capacity.

Andy Lanng 15-Jun-15 5:10am

2 point to make:

1: The service cannot start the exe on the other users desktop. See solution 1 for why.
2: If you want to monitor 50 / 60 desktops then you will need 50 / 60 monitors running.

The monitor need not be a resource hungry process. I suggest you take snapshots of the current activity (maybe every 60 seconds). After all, even the task monitor works by snapshots.

It will be VERY difficult to get the monitor.exes' talking directly to the reporting service. I suggest using the message queue. Each monitor.exe posts the current activity to the message queue (which is a very streamlined process btw) and the reporting service reads from this queue.

2 solutions

Solution 1

What kind of app is this that you're monitoring and trying to relaunch?

If it's an application that puts up any kind of user interface at all your users will not be able to see it, even if you launch the app as that user.

While it is possible to remotely launch an application, it is now IMPOSSIBLE for the user on that machine to interact with it. This is a security restriction imposed by Windows that you can not get around, for obvious reasons.

Posted 12-Jun-15 7:02am

Dave Kreskowiak

Comments

Dev O'Connor 15-Jun-15 3:40am

It's not a program tht they need to interact with, its an application that that interacts with their desktop with windows api calls sich as GetForegroundWindows().

Will the same restriction be applicable here?

Dave Kreskowiak 15-Jun-15 7:46am

Yep. You don't get to interact with the user desktop at all.

Dev O'Connor 15-Jun-15 17:29pm

Hi, so i have managed to achieve this by grabbing the users token and using this to fire the exe, all is working as expected, once i have cleaned up the code from testing i will post an update below.

Due to grabbing the token, which requires the SE_TCB_NAME privelige the service is having to run as Local Service, when i try and grab the windows identity and check WindowsPrincipal.IsInRole, they all return false. Is this becuase the service is running as LocalService? Is there any way i can check if the passed 'SID' / WindowsIdentity to return the users group membership?

they all return false for local groups to the machine and to domain groups - basically i need it not to action this for administrator accounts (elevated access causes a problem with the actual applicaiton being called due to being able to see all of the processes for all users)

Dave Kreskowiak 15-Jun-15 21:06pm

You might want to see what you actually grabbed. Don't just assume you got the token of the user logged in at the console.

Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Andy Lanng · Accepted Answer · 2015-06-14T22:40:00

Solution 2

A service can only run on the default desktop. If you need to monitor each users desktop activity then each session will require an exe to be running. There are ways you can hide the exe but they aren't so easy.

This article has a section on hiding apps from the taskbar.
How To Make a Windows Form App Truly Full Screen (and Hide Taskbar) in C#[^]

It is possible, but buggy and difficult, to hide the exe from other monitors such as task manager

Posted 14-Jun-15 22:40pm

Andy Lanng

Comments

Dev O'Connor 15-Jun-15 17:29pm

Hi, so i have managed to achieve this by grabbing the users token and using this to fire the exe, all is working as expected, once i have cleaned up the code from testing i will post an update below.

Due to grabbing the token, which requires the SE_TCB_NAME privelige the service is having to run as Local Service, when i try and grab the windows identity and check WindowsPrincipal.IsInRole, they all return false. Is this becuase the service is running as LocalService? Is there any way i can check if the passed 'SID' / WindowsIdentity to return the users group membership?

they all return false for local groups to the machine and to domain groups - basically i need it not to action this for administrator accounts (elevated access causes a problem with the actual applicaiton being called due to being able to see all of the processes for all users)

Andy Lanng 16-Jun-15 3:53am

hmm - I think you have exceeded my knowledge on this. I have never looked at user domains or groups via ManagementObjectSearcher. Post a new question and see if you can get any new hits.

Best of luck ^_^
I'll keep an eye out because this interests me also

Run App as User on RDS2012 without Credentials

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0

Run App as User on RDS2012 without Credentials

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0

Existing Members

...or Join us