Unable to access network shared directory by UNC with process started by CreateProcessAsUser

Question

Unable to access network shared directory by UNC with process started by CreateProcessAsUser

Stephan Bielmann 11

We have a Windows service written in C++ that does start other programs with CreateProcessAsUser() as different users with LogonUser(). Code below shows how we do this. Our service is started with Local System account.

One of these programs accesses a network shared directory provided by UNC path, e.g. \otherpc\somedirectory. We have now a single customer where this does not work. The program started with CreateProcessAsUser() can not access that directory at all.

The user provided to LogonUser() does have all required permissions, when manually logged in with this user in Windows, \otherpc\somedirectory is visible, files can be read from that directory. Also when starting the service with that particular user, instead of Local System account, everything works fine too.

Any help appreciated.

HANDLE hToken;
LogonUser(User, myDomain, Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)

STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};

si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = FALSE;

CreateProcessAsUser(
hToken, appPath,NULL,
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&si,
&pi
);

David Lowndes 4,726 Reputation points

2021-09-29T11:43:42.81+00:00

Does your real code check the return values of the API calls?
Which (if any) fail, and what is the error code?
Stephan Bielmann 11 Reputation points

2021-09-29T12:02:14.9+00:00

Hello David,

sorry, forgot to mention that. Yes, all return codes are checked. I verified that LogonUser() is doing what I expect of it, with user/domain/password provided. CreateProcessAsUser() does start the program as the impersonated user given by LogonUser(). All good on that end.

The code works on all installations, with the one single exception where the program executed with CreateProcessAsUser() can not access the directory provided by the UNC path. But the user provided to LogonUser() has all the permissions to that path.
RLWA32 49,301 Reputation points

2021-09-29T12:08:35.457+00:00

To better simulate an interactive logon you could try loading the profile for the user account, creating an appropriate environment for the user account and passing that environment to CreateProcessAsUser.
RLWA32 49,301 Reputation points

2021-09-29T12:43:35.723+00:00

Is there an error message/code available for the instance where access to the share fails?
Stephan Bielmann 11 Reputation points

2021-09-30T06:46:13.487+00:00

First thing the program does is FindFirstFileEx(), which returns an INVALID_HANDLE_VALUE, and GetLastError() returns 0.
Stephan Bielmann 11 Reputation points

2021-09-30T06:47:11.89+00:00

Tried this out, however did not change anything.
David Lowndes 4,726 Reputation points

2021-09-30T08:06:29.28+00:00

And just to clarify, your code doesn't do anything between calling FindFirstFileEx, checking the return value, and then calling GetLastError - i.e. something that may reset the error?

Is there any 3'rd party software (AV. or other low-level "security" software) that this user has installed?
Stephan Bielmann 11 Reputation points

2021-09-30T09:41:25.517+00:00

GetLastError() was not called right after FindFirstFileEx(), thank you for pointing me there.
Stephan Bielmann 11 Reputation points

2021-09-30T09:44:32.747+00:00

Problem solved. The code is working correctly. The unfortunate combination of GetLastError() at the wrong place and the customer having misconfigured the credentials on the network share.

Thank you again for your most valuable help !

1 answer

Your answer

David Lowndes 4,726 Reputation points

2021-09-29T11:43:42.81+00:00

Does your real code check the return values of the API calls?
Which (if any) fail, and what is the error code?
Stephan Bielmann 11 Reputation points

2021-09-29T12:02:14.9+00:00

Hello David,

sorry, forgot to mention that. Yes, all return codes are checked. I verified that LogonUser() is doing what I expect of it, with user/domain/password provided. CreateProcessAsUser() does start the program as the impersonated user given by LogonUser(). All good on that end.

The code works on all installations, with the one single exception where the program executed with CreateProcessAsUser() can not access the directory provided by the UNC path. But the user provided to LogonUser() has all the permissions to that path.
RLWA32 49,301 Reputation points

2021-09-29T12:08:35.457+00:00

To better simulate an interactive logon you could try loading the profile for the user account, creating an appropriate environment for the user account and passing that environment to CreateProcessAsUser.
RLWA32 49,301 Reputation points

2021-09-29T12:43:35.723+00:00

Is there an error message/code available for the instance where access to the share fails?
Stephan Bielmann 11 Reputation points

2021-09-30T06:46:13.487+00:00

First thing the program does is FindFirstFileEx(), which returns an INVALID_HANDLE_VALUE, and GetLastError() returns 0.
Stephan Bielmann 11 Reputation points

2021-09-30T06:47:11.89+00:00

Tried this out, however did not change anything.
David Lowndes 4,726 Reputation points

2021-09-30T08:06:29.28+00:00

And just to clarify, your code doesn't do anything between calling FindFirstFileEx, checking the return value, and then calling GetLastError - i.e. something that may reset the error?

Is there any 3'rd party software (AV. or other low-level "security" software) that this user has installed?
Stephan Bielmann 11 Reputation points

2021-09-30T09:41:25.517+00:00

GetLastError() was not called right after FindFirstFileEx(), thank you for pointing me there.
Stephan Bielmann 11 Reputation points

2021-09-30T09:44:32.747+00:00

Problem solved. The code is working correctly. The unfortunate combination of GetLastError() at the wrong place and the customer having misconfigured the credentials on the network share.

Thank you again for your most valuable help !

Answer 1

Gary Nebbett 6,211

Hello @Stephan Bielmann ,

I would suggest making a network trace of the activity as the client attempts to access the share. This would give clarity on why/how the share access fails and, presuming that the failure is related to authentication, also give an indication of why the authentication failed. A broad (unfiltered) network trace would also capture Kerberos traffic, which may well be useful in understanding the problem.

Gary

Share via

Unable to access network shared directory by UNC with process started by CreateProcessAsUser

1 answer

Your answer