Menu
I create a service which is defined to Log On as Administrator.
This service performs system("net use Z: \... /user:user password") and completes successfully.
If I (as Administrator) run "net use" I see Z: indeed added, but with status - unavailable.
I tried adding ImpersonateLoggedOnUser to the service, but that didn't help.
OS: Win XP
What am I missing?
817
If Windows can't map your network drive, update your computer, and disconnect all peripherals. Additionally, give everyone access rights to the folder you want to share. Then enable file sharing support for Client and Server. If the issue persists, tweak your Registry Editor and set ProviderFlags value data to 1.
This behavior occurs because the systems can drop idle connections after a specified time-out period (by default, 15 minutes) to prevent wasting server resources on unused sessions. The connection can be re-established quickly, if necessary.
First, right-click or press-and-hold on the mapped network drive that you want to disconnect and select “Show more options.” Then, in the expanded context menu shown, select Disconnect to remove the mapped network drive.
ImpersonateLoggedOnUser doesn't impersonate the logon session from the user token, just the security context. CreateProcessAsUser, however, should be able to create a new process in the logon session associated with the specified user token.
Note that calling LogonUser to get a user token for CreateProcessAsUser won't work, because this token won't be in the same logon session as the logged-on user. You have to find one of the user's processes and duplicate its token.
Logon sessions are not well documented, but all you really need to know that each time a user is authenticated a distinct logon session is created, and that each such logon session has a distinct set of network drive mappings. Logon sessions are not the same as terminal services sessions.
In Windows Vista and above, two logon sessions are created when an administrative user logs in, one associated with the restricted token and one associated with the elevated token.
You can look up the logon session associated with a token using the GetTokenInformation function with the TokenStatistics option. The logon session is identified by the AuthenticationId LUID.
To make this work, your service would need to first figure out when a user has logged in, wait for a process associated with the new session to start, make sure it's not an elevated process, then duplicate the access token.
Instead, your best option is going to be to split the application into two components. One component will run as the user (you would probably launch this automatically using the Run key) and be responsible for mapping the network drive. It can contact the service to obtain any information it needs, either via a named pipe or a registry key.
164
Windows logs on Administrator and uses the logon token to start the service. If you logon interactively Windows creates a logon token for you. The two tokens are not related to each other. Mapped devices are mapped for one session/logon token, therefore if the service maps a device you do not see it in your logon session.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
