Why the option ‘Allow service to interact with desktop’ is only available for Local System account and not for any other account while configuring a windows service from control panel? I want to configure the windows service so as to allow interaction with desktop irrespective of the account it is configured to run with. How to achieve it?
that is a good question! I have never seen an official explanation from Microsoft, but I would guess that the reason has to do with permissions and rights and not wanting to mislead users.
Not all users are created equal. Some do not have the rights to display a user interface on session 0, or interact fully with arbitrary programs (and resources) it is running alongside. Having those users able to show GUI elements from a service may lead to confusion. For example, if a user account having limited rights starts an instance of Windows Explorer as a service, that window may not be able to accept dropped files from a "regular" explorer started by the interactive user. This sort of thing may be very difficult to diagnose and explain!
Note that Windows can certainly do what you like and we code it all the time in our service applications (http://www.CoreTechnologies.com/). Windows is simply not making that option available to you for any arbitrary user.
Of course please please take a step back and beware changes in Vista. "Session 0 Isolation" is a game changer for interactive Windows Services!
Related
I have programmed an application that has an overlay-kind of window that can be shown and hidden via hotkey while another application has the focus. Said other application is a DirectX game that runs with admin privileges.
I have already tried 3 possible solutions to get notified when my hotkey is pressed in the other application, 2 of them kind of work, but require my application to have administrative privileges too. That is kind of acceptable, but I'd much rather have a solution that does not require those privileges. I am sure that there has to be a way, since applications like TeamSpeak do manage to receive input without being run as admin.
What I have tried already:
RegisterHotkey - not suitable because it doesn't work while in DirectX windows.
SetWindowsHookEx - works as a general keyboard hook, but only with admin privileges.
GetAsyncKeyState - works to check the specified hotkey, but not without admin privileges yet again.
So yeah, I'd be really grateful if someone could provide an idea for a different solution since there is nothing more I could think of ... I am using Delphi, but since I'm relying on Windows API anyways I don't think the solution will be language specific.
I think TeamSpeak uses DirectInput for its hotkeys (a nice fit for you if you are already using DirectX). As for interacting with elevated programs, I think the only solution, and I believe the one TeamSpeak uses, is to embed an application manifest that sets uiAccess=true. This allows you to bypass UIPI without needing to run the application as administrator.
http://msdn.microsoft.com/en-us/library/bb756929.aspx
For this to work there are a few caveats
The application must be authenticode signed
The application must reside in a protected directory (\ProgramFiles\,\system32)
You can self-sign the application (as the alternative is expensive!) but you have to distribute the certificate manually and install it on any system running the application in question.
I have a Delphi application running in a server. This application do some critical work with my DB which is used in other applications and executes when a user logs in to Windows. It all is working fine, but, turns out the server's administrator sometimes reboot the server and does not log in to Windows. The server stays in Windows Login and my application doesn't start.
After a small research I decided to create a Windows Service to start my application even before a user logs in Windows. But, I have two forms. One form shows the Current Process that my application is executing and the other one edite a .ini file that its used to configure the first form.
What I need to be done is to create a service that starts my application before a user logs in Windows and after logging in, show my forms or open it but minimize it to System Tray.
Is it possible to use Windows Service with this behavior and minimize my forms to the System Tray?
A service cannot display a UI at all (including a System Tray icon) in Vista onwards, and it is discouraged in earlier versions. In all versions of Windows, you should be separating the UI out into its own non-service application that can be run by a logged-in user, manages the system tray icon for that user's tray, and communicates with the backend service as needed using any number of available IPC mechanisms (pipes, sockets, COM, RPC, WCF, etc).
Well, you can have a form in a service, but is has to run as Administrator and must be set up as an interactive service.
I've used SVCOM to create nice services with tray icons and a form that can minimize to system tray.
Have a look here: http://www.aldyn.ru/products/index.html
Hope this helps
I am creating a utility that runs as a service and starts applications. As long as I log in as an admin and start the service it will run the applications. I log out and the service (and applications) continue to run. But, if another user logs in with different credentials they cannot access the front end GUI of the applications started by the service utility.
I was wondering if there is a built in account which I could use that may solve the issue? Or if anyone has any ideas or insight in the matter?
Windows Services can only be set to "interactive" when run in the system account. Notice the placement of the "Allow service to interact with desktop" checkbox on the Log On tab when configuring the service (via the Control Panel Services application).
Beyond that, are the other users logging in via RDP? Run mstsc with the "/admin" flag to ensure that they are going to Session 0 where the service will display its windows.
And finally, beware interactive services! You are probably on Windows XP or 2003 which is why it kind-of works, but Windows Vista, 7 and 2008 behave very differently (search for "Session 0 isolation").
Situation: i have a licencing program that i wrote in Delphi 7, this allows users to create licences for products that have been sold. There is a security risk with this because any employee could sell the products from home and take the licencing program home and create licences - they would be stealing and we would never know!
I thought it might be a good idea to restrict the licencing pgm to run only when its inside the corporate lan.
Is it advisable to do things like looking for the existance of a named server, or to test if its being run on a particular subnet? And if so any examples would be welcome :)
There is one easy solution: Make it a web service or at least implement the license creation only on a an application that runs on one or more servers. This would allow everybody who can access the server(s) via network to create licenses. Outside of your network - protected by a firewall - no access is possible and therefore no-one can create licenses on his/her own.
One thing to include in the mix is the domain of the computer. Most businesses have a domain that will be harder to reproduce. For an app you are developing for internal use, you could check for presence of a number of servers too.
I created a Windows service and installed into users machine.
That windows service is very important and I do not want to user can change its startup type to "disable".
It seems "Plug and Play" service can disable the Startup drop-down listbox.
How can I make same behavior for my windows service?
I would imagine it has to do with setting the appropriate permissions on the registry key. But a user with sufficient permissions can do anything. If this is for a business application, I would try to stick to using group policy or user permissions. If this is for a commercial application then I would expect a lot of upset users and malware detection.