Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Network drive is unavailable if mapped by service

I create a service which is defined to Log On as Administrator.
This service performs system("net use Z: \... /user:user password") and completes successfully.

If I (as Administrator) run "net use" I see Z: indeed added, but with status - unavailable.

I tried adding ImpersonateLoggedOnUser to the service, but that didn't help.

OS: Win XP

What am I missing?

like image 817
GK. Avatar asked Dec 01 '11 09:12

GK.


People also ask

Why is mapping network drive not working?

If Windows can't map your network drive, update your computer, and disconnect all peripherals. Additionally, give everyone access rights to the folder you want to share. Then enable file sharing support for Client and Server. If the issue persists, tweak your Registry Editor and set ProviderFlags value data to 1.

Why do my mapped network drives disconnect?

This behavior occurs because the systems can drop idle connections after a specified time-out period (by default, 15 minutes) to prevent wasting server resources on unused sessions. The connection can be re-established quickly, if necessary.

How do I remove an unavailable network drive?

First, right-click or press-and-hold on the mapped network drive that you want to disconnect and select “Show more options.” Then, in the expanded context menu shown, select Disconnect to remove the mapped network drive.


2 Answers

ImpersonateLoggedOnUser doesn't impersonate the logon session from the user token, just the security context. CreateProcessAsUser, however, should be able to create a new process in the logon session associated with the specified user token.

Note that calling LogonUser to get a user token for CreateProcessAsUser won't work, because this token won't be in the same logon session as the logged-on user. You have to find one of the user's processes and duplicate its token.

Logon sessions are not well documented, but all you really need to know that each time a user is authenticated a distinct logon session is created, and that each such logon session has a distinct set of network drive mappings. Logon sessions are not the same as terminal services sessions.

In Windows Vista and above, two logon sessions are created when an administrative user logs in, one associated with the restricted token and one associated with the elevated token.

You can look up the logon session associated with a token using the GetTokenInformation function with the TokenStatistics option. The logon session is identified by the AuthenticationId LUID.

To make this work, your service would need to first figure out when a user has logged in, wait for a process associated with the new session to start, make sure it's not an elevated process, then duplicate the access token.

Instead, your best option is going to be to split the application into two components. One component will run as the user (you would probably launch this automatically using the Run key) and be responsible for mapping the network drive. It can contact the service to obtain any information it needs, either via a named pipe or a registry key.

like image 164
Harry Johnston Avatar answered Sep 21 '22 16:09

Harry Johnston


Windows logs on Administrator and uses the logon token to start the service. If you logon interactively Windows creates a logon token for you. The two tokens are not related to each other. Mapped devices are mapped for one session/logon token, therefore if the service maps a device you do not see it in your logon session.

like image 29
Werner Henze Avatar answered Sep 21 '22 16:09

Werner Henze