I am trying to add certificates into a certificate store for current logged in user. All these must be done
under a service
(run with LocalSystem account). The problem I faced is that (although debugged the service source code successfully) when I check the certificate store using MMC (Microsoft management console), none of my certificates could be found. I searched through all the instances of certificate stores (current user, current service and
local machine).
I tested the part of code responsible for installing certificates into the intended store, using another
normal Windows MFC test application
and all the things worked OK!.
The important functions I used in my service are: CertAddcertificateContextToStore and CertOpenStore. I examined various options for important
'dwFlags'
parameter of 'CertOpenStore' function according MSDN, but in no case I did find the certificates. I even checked the MSDN referred paths in the registry, pertinent to certificate store locations.
Thnaks
Use a separate process which runs under currently logged on user and launch it from windows service. You must use something like CreateProcessAsUser() or CreateProcessWithTokenW() to launch it.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682429%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682434%28v=vs.85%29.aspx
Not tested, but you should also check ImpersonateLoggedOnUser() function if you don't want a separate process:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa378612%28v=vs.85%29.aspx
Thank you modoran
But, how we can get the current logged-in user when we are in the context of another user (here LocalSystem) in the service. This is not easy to find and I checked the internet to find an answer for it, but I failed.
Under the service, all the things change and even the 'HKEY_CURRENT_USER' in the registry refers to the new user context.
This is my main problem, and until I can't find an understandable answer for it, I can not continue. After that, we should find a way to produce or retrieve a token handle assigned to the current user to be able to use the aforementioned functions for creating processes.
It is surprising for the 'Certificate Propagation' service from Windows that does this for current user. But the way behind this service is unclear, at least, for me.
Thanks
The steps are this:
1 . Get a primary process (OpenProcessToken) - usually explorer.exe or winlogon.exe is the best candidate.
2. Create a primary copy of this token (DuplicateTokenEx)
3. Modify session id of the replica (SetTokenInformation).
4. Create a new temporary process using that token with CreateProcessAsUser.
Read this for more information:
http://blogs.msdn.com/b/winsdk/archive/2009/07/14/launching-an-interactive-process-from-windows-service-in-windows-vista-and-later.aspx
http://www.codeproject.com/Articles/18367/Launch-your-application-in-Vista-under-the-local-s
http://www.codeproject.com/Articles/36581/Interaction-between-services-and-applications-at-u