Unable to access network shared directory by UNC with process started by CreateProcessAsUser

Stephan Bielmann 11 Reputation points
2021-09-29T11:38:08.977+00:00

We have a Windows service written in C++ that does start other programs with CreateProcessAsUser() as different users with LogonUser(). Code below shows how we do this. Our service is started with Local System account.

One of these programs accesses a network shared directory provided by UNC path, e.g. \otherpc\somedirectory. We have now a single customer where this does not work. The program started with CreateProcessAsUser() can not access that directory at all.

The user provided to LogonUser() does have all required permissions, when manually logged in with this user in Windows, \otherpc\somedirectory is visible, files can be read from that directory. Also when starting the service with that particular user, instead of Local System account, everything works fine too.

Any help appreciated.

HANDLE hToken;
LogonUser(User, myDomain, Password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)

STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};

si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = FALSE;

CreateProcessAsUser(
hToken, appPath,NULL,
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&si,
&pi
);

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,516 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,631 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Gary Nebbett 5,846 Reputation points
    2021-09-30T09:01:45.52+00:00

    Hello @Stephan Bielmann ,

    I would suggest making a network trace of the activity as the client attempts to access the share. This would give clarity on why/how the share access fails and, presuming that the failure is related to authentication, also give an indication of why the authentication failed. A broad (unfiltered) network trace would also capture Kerberos traffic, which may well be useful in understanding the problem.

    Gary

    0 comments No comments