Control user session from System account

[KenE]

I'm not so sure if this is even possible, I've tried searching for solutions and come up with nothing I like. I'm looking for a way to interact with user's session with a compiled script that was executed under the System account. I'm not sure if I can post product names here, so let's just say I use a well known imaging utility that has its own management console. I can use this to remotely execute programs on any number of machines. The problem is that everything is run under the System user. I have no way of interacting with the current user's session, or writing to their registry settings. What I don't want is a solution that uses RunAsSet; keeping a list of usernames and passwords stored seems really insecure. Does anyone know of a way to get the SID of the current interactive login, then use this to execute files or write to that registry, without providing that user's credentials? Maybe I'm missing something obvious and this is simple, or maybe it can't be done. I'd appreciate any suggestions anyone may have. Thanks!

[blademonkey]

what is it you ultimately want to do?

you want to import registry keys into an currently logged in user?

you want to run apps in the user's session interactively?

you want to remote control the PC?

what "imaging app" are you talking about?

[ptrex]

@All

Maybe this can help you out.

System Account

regards,

ptrex

[KenE]

Sorry, I thought I explained enough to get started...

I use Symantec Ghost Enterprise (now Ghost Solution Suite).

I can already run things under the System account, that's not what I need.

I need to be able to write to the currently (interactive) logged in user's registry settings (HKCU).

I need to be able to run applications (any .exe) interactively within the currently (interactive) logged in user's profile.

All this needs to be done from a compiled script that is launched under the local System account.

All this needs to be done without the help of RunAsSet and a username/password list.

Thanks for your replies!

I have tried automating the task scheduler (command line switches), but in XP SP2, you cannot (that I know of) add a task with the option to only run if a user is logged on. This was the closest I have come to getting this to work. If I borrow the task scheduler exe (schtasks.exe) from a W2k3 server, the option to run only if the user is logged on is available, but it doesn't work. I can schedule the task, but it always fails to start. The task really should be unaware of which account it was created under, and so long as the security permissions are correct, it should run, but it doesn't. There must be more to a scheduled task than you can see from the GUI. The goal here was to create a task that would run under the current user, 1 minute from now, and launch my application(s) under the current user's profile. When you check the run only if logged on checkbox, you don't need to enter user credentials, it runs under whomever is logged on. I assume that there's a good reason this doesn't work, or the schtasks.exe included with XP would probably have this option. I haven't explored the option of using another method of interfacing with the task scheduler, just the command line. Maybe some other method exists? I've been scripting since way back, so the command line is where I usually start.

[ptrex]

@KenE

Maybe this can fit your need, but I am not sure.

CMD.EXE under Lcoal System Account

Never encountered your situation, I had made a example to run a AU3 as a service.

See my signature.

This runs fine. But then again I don't check if the user is logged in or not,

Anyhow I hope you find the solution.

Regards

ptrex

[blademonkey]

for applying registry entries to currently logged in users you can do that with Regedit already. you just have to apply any setting you want to the valid HKUSER\{SID} key.

Now I'm curious, what applications would you want to run as a regular user that you couldn't run with a system account? Why would you want to do that?

maybe if you gave more details we could provide an alternate solution to your overall goals (if your specific needs cannot be met).

-B

[KenE]

@blademonkey

Do you have a suggestion as to how to obtain the SID of the user that is interactively logged on to a system via a script running from the System account? I haven't really looked into this just yet. Something as simple as setting a user's default printer, or installing any other software that writes to the current user's registry and/or saves files within that user's profile. There's plenty of software out there that does this, and because I already have a management tool that I use, I'd like to be able to deploy these types of apps as well. It would at least be a start if I could write to the registry for that user. I could work on the rest later. I'm not trying to be secretive about the apps I'm running, there have been plenty of them that don't run well under the System account, and plenty that do. My immediate need is to identify the SID of the user to be able to modify their registry.

[blademonkey]

psloggedon and psgetsid should help you do that.

[Yorn]

Blademonkey is getting closer I think, but what he's looking for is a way to do this via AutoIT. I actually ran into this same problem. I'm noticing that tools like PSEXEC and such aren't as great as they used to be on Vista. I can't properly run things in the interactive user's session anymore using psexec.