CreateProcessAsUser from service fails with 233 (FUS, Windows XP)

325 views
Skip to first unread message

blac...@mail.ru

unread,
Aug 15, 2007, 8:14:00 PM8/15/07
to
Hi.
I'm having a very strange behavior - CreateProcessAsUser fails with
error 233 (No process is on the other end of the pipe) when called
from service
while logon screen active. Service tries to create a process when new
console
session connected, so when it receives the
SERVICE_CONTROL_SESSIONCHANGE
notofication with the WTS_CONSOLE_CONNECT, it obtains a user token
(via WTSQueryUserToken or OpenProcessToken/DuplicateTokenEx/
SetTokenInformation
- no sense), waits a little and use CPAU to launch process (also it
loads correct env and other staff). In most cases it works well, but
when it create a process after user logoff (and now system in logon
screen) it fails with error 233.

How to reproduce it:
1. Logon as console user (session 0)
2. Switch user (logon screen, session 0)
3. Logon another user (session 1) (CreateProcessAsUser succeeded)
4. Logoff another user (logon screen, session 2) (CreateProcessAsUser
fails, 233)

In my sample i'm trying to launch calc.exe, and in Vista it works
well, problem appears only with the Windows XP with FUS.

Firstly i thought that there is no csrss in the temporary session for
the logon screen (and there is an RPC error), but it present and
winlogon somehow starts logonui.exe, so it is possible, i think...

Also i tried several ways to get primary token while logon screen:
1. OpenProcessToken(CurrentProcess) + DuplicateTokenEx +
SetTokenInformation(ConsoleSessionId).
2. OpenProcessToken("Winlogon.exe on active session") +
DuplicateTokenEx + SetTokenInformation(ConsoleSessionId).
3. OpenProcessToken("logonui.exe on active session") +
DuplicateTokenEx + SetTokenInformation(ConsoleSessionId).

No luck - i successfully get primary token in any way, but CPAU fails
with 233.

Anyone else seen a similar issue, or know why this is happening? If
it
helps, i can upload a sample to reproduce this behavior...

Thanks.

--
Andrew Solodovnikov

andr...@gmail.com

unread,
Sep 17, 2007, 7:06:43 PM9/17/07
to
I'm having the exact problem creating a process on the winlogon
desktop in sessions > 0. Works on Vista. Fails on XP.

When a user logs off, XP creates a new winlogon desktop in a new
session. Creating a process on that desktop fails with either:
"no process on the other end of the pipe", OR "system cannot find the
file specified"

Strangely, it works on session 0 even with no interactive user. It
only fails on the winlogon desktop sessions > 0, so something is
different about the Session 0 desktop. The session that is created
for that new winlogon desktop is missing something. What? Have you
found a solution or workaround?

Thomas Graefenhain

unread,
Oct 30, 2007, 11:41:02 AM10/30/07
to
Hi,

now we are three ;-). I've the same problems here and didn't find any
solution. Are your problems solved right now?

Thanks

Thomas Graefenhain

unread,
Nov 2, 2007, 8:14:00 AM11/2/07
to
Hi,

I've debugged a little bit with kernel the debugger, and have found the
problem: CreateProcessAsUser uses internally when creating a process in an
other session the Function CreateRemoteProcessW from ADVAPI32.DLL. This
function opens a pipe with the name
"\\.\Pipe\TerminalServer\SystemExecSrvr\%d" where %d is the SessionID and
sending the request over to csrss.exe. And now the problem. After logging off
from a session other than 0 crrss.exe does not create this pipe or
CreateRemoteProcessW is not able to read the pipe. CreateRemoteProcessW is
able to open the pipe and write to it. Is here anyone from MS listening and
can tell me what to do to get this pipe?

Thanks in advance
Thomas Graefenhain

Orin

unread,
Nov 8, 2007, 11:35:40 PM11/8/07
to
On Nov 2, 4:14 am, Thomas Graefenhain

Another way of reproducing this problem is to make an RDP connection
to the machine and try to create a process in the new console
session . 233 error.

FileMon indicates that a connection is made to a pipe - \\.\Pipe
\TerminalServer\<encoded name>\%d". Winlogon.exe reads the pipe then
seems to close it without replying. I haven't bothered trying to
decode the 'encoded name'.

The only way around this that is likely to work is to inject a code
into some process in the new session and have it create the process
for you... and CreateRemoteThread won't do it for you as it won't work
across sessions.

Orin.


johnmarks

unread,
May 4, 2010, 4:02:58 PM5/4/10
to
I have the exact same problem. I have my program creating processes using CreateProcessAsUser on Vista/Win7 just fine. I have a lot of customers on XP, so I need to support creating processes on different sessions. But as you all know, login out from a non-zero TerminalServices session will not allow CPAU to work.

Did anyone here in this thread ever get this to work? Did you find a nice workaround?

Thanks,
John

Orin wrote:

Re: CreateProcessAsUser from service fails with 233 (FUS, Windows XP)
08-Nov-07

Orin.

Previous Posts In This Thread:

On Wednesday, August 15, 2007 8:14 PM
blackbor wrote:

CreateProcessAsUser from service fails with 233 (FUS, Windows XP)

Thanks.

--
Andrew Solodovnikov

On Monday, September 17, 2007 7:06 PM
andrewb wrote:

On Tuesday, October 30, 2007 11:41 AM
ThomasGraefenhai wrote:

Hi,now we are three ;-).
Hi,

now we are three ;-). I have the same problems here and did not find any


solution. Are your problems solved right now?

Thanks

On Friday, November 02, 2007 8:14 AM
ThomasGraefenhai wrote:

Hi,I've debugged a little bit with kernel the debugger, and have found the
Hi,

I've debugged a little bit with kernel the debugger, and have found the
problem: CreateProcessAsUser uses internally when creating a process in an
other session the Function CreateRemoteProcessW from ADVAPI32.DLL. This
function opens a pipe with the name
"\\.\Pipe\TerminalServer\SystemExecSrvr\%d" where %d is the SessionID and
sending the request over to csrss.exe. And now the problem. After logging off
from a session other than 0 crrss.exe does not create this pipe or
CreateRemoteProcessW is not able to read the pipe. CreateRemoteProcessW is
able to open the pipe and write to it. Is here anyone from MS listening and
can tell me what to do to get this pipe?

Thanks in advance
Thomas Graefenhain

On Thursday, November 08, 2007 11:35 PM
Orin wrote:

Re: CreateProcessAsUser from service fails with 233 (FUS, Windows XP)

Orin.


Submitted via EggHeadCafe - Software Developer Portal of Choice
Get Silverlight 4 Installed: Tips and Tricks
http://www.eggheadcafe.com/tutorials/aspnet/05910e41-3846-4db9-8e1b-f54c56a64ed9/get-silverlight-4-install.aspx

Orin

unread,
May 4, 2010, 5:20:56 PM5/4/10
to
On May 4, 1:02 pm, John Marks wrote:
> I have the exact same problem. I have my program creating processes using CreateProcessAsUser on Vista/Win7 just fine. I have a lot of customers on XP, so I need to support creating processes on different sessions. But as you all know, login out from a non-zero TerminalServices session will not allow CPAU to work.
>
> Did anyone here in this thread ever get this to work? Did you find a nice workaround?

Try this:

If you get ERROR_FILE_NOT_FOUND, wait a little while and try again.

If you get ERROR_PIPE_NOT_CONNECTED, use CreateRemoteSessionProcessW -
you'll have to search for it, it's not officially documented.

Orin.

jettagozoom

unread,
May 7, 2010, 11:54:31 AM5/7/10
to

Orin, thanks for the reply. But calling CreateRemoteSessionProcessW
does not work. The problem, as mentioned above, is that the read of
the pipe from the TerminalServer fails with error 233. The read of the
pipe is in the CreateRemoteSessionProcessW function, so using that
function does not work. The write of the marshaled request to the TS
works just fine - it's the read that fails.

I know this works great on Win7, since this part of the code was
largely tuned up and re-written. Did you ever get this problem working
on XP? And if by calling CreateRemoteSessionProcessW worked for you,
how did you get the pipe read to work?

Thanks,
John

Orin

unread,
May 7, 2010, 6:34:24 PM5/7/10
to


It can take a while (seconds) after a session is created before the
pipe is available, so try a few times with a delay between tries.

The best I have is below, called from a service running in session 0.
I do this to start a process in the console session on
WTS_CONSOLE_CONNECT (all OS) and on WTS_SESSION_LOGOFF (Vista onwards
- YMMV with your process as to behaviour on logoff to stop the OS
whining about processes still being around when a session is
destroyed).

Hopefully the code doesn't get too mangled.

Orin.

int tries = 0;
BOOL bUseCreateRemoteSessionProcess = FALSE;
// dwSessionID is the session in which the process should be
created
// verInfo is an OSVERSIONINFO
retry:
if ( bUseCreateRemoteSessionProcess )
result = CreateRemoteSessionProcessW(...);
else
result = CreateProcessAsUser(...);

if ( !result )
{
int err = GetLastError();
if ( (err == ERROR_FILE_NOT_FOUND || err ==
ERROR_PIPE_NOT_CONNECTED) && ++tries <= 5 )
{
// Log the failure
Sleep(500);
if ( err == ERROR_PIPE_NOT_CONNECTED &&
dwSessionId && // CreateRemoteSessionProcessW
doesn't work for Session 0
verInfo.dwMajorVersion < 6 ) // XP only
{
bUseCreateRemoteSessionProcess = TRUE;
}
goto retry;
}
}

Reply all
Reply to author
Forward
0 new messages