How to execute an application on Windows through salt?

[ping]

Hi every, i have a linux master and a windows minion and everything is OK. Then I want to launch an windows application by running a bat script on the master side.

The file is like this: /srv/salt/win/script/autorun.bat

@echo off

start "eclipse" "D:\Program Files\eclipse\eclipse.exe"

exit

I run the command

salt "minion-name" cmd.srcipt salt//win/script/autorun.bat

Then I can see eclipse.exe in the task manager window, but no eclipse UI shows. Why there isn't UI? 

I'm new to saltstack, Could you tell me  the reason? Appreciate any suggestion. Thanks.

[ping]

And I noticed that the user name of the eclipse.exe in task manager window is SYSTEM, but not me.

[David Boucha]

Ping,

The problem here is that for security reasons by default the system user doesn't have access to interact with the desktop. If you look at the salt-minion's service properties there might be an option to enable "Allow interaction with the desktop" or something like that. You might try checking that option and restarting the service and seeing if that works.

Let me know how that goes!

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Dave Boucha  |  Sr. Engineer

Join us at SaltConf, Jan. 28-30, 2014 in Salt Lake City. www.saltconf.com

5272 South College Drive, Suite 301 | Murray, UT 84123
office 801-305-3563
da...@saltstack.com | www.saltstack.com

[Mrten]

On 14/11/2013 19:28 , David Boucha wrote:
> Ping,
>
> The problem here is that for security reasons by default the system user
> doesn't have access to interact with the desktop. If you look at the
> salt-minion's service properties there might be an option to enable
> "Allow interaction with the desktop" or something like that. You might
> try checking that option and restarting the service and seeing if that
> works.

Might not be the most secure advice around. MS explicitly warns against
doing that:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms683502%28v=vs.85%29.aspx

Caution Services running in an elevated security context, such as the
LocalSystem account, should not create a window on the interactive
desktop because any other application that is running on the interactive
desktop can interact with this window. This exposes the service to any
application that a logged-on user executes.


And, the option does not exist since vista, says superuser:

http://superuser.com/questions/415204/how-do-i-allow-interactive-services-in-windows-7


Isn't there a sudo ('runas') in windows that ping can use and bypass
this restriction in a more secure way?

M.

[ping]

Thanks David, I have tried "Allow interaction with the desktop" option and seen the interactive GUI successfully. 

[Weston McNamee]

ping <maping.cn@...> writes:

>
>
> Thanks David, I have tried "Allow interaction with the desktop" option
and seen the interactive GUI successfully. On Friday, November 15, 2013
2:28:07 AM UTC+8, David Boucha wrote:
> Ping,
> The problem here is that for security reasons by default the system
user doesn't have access to interact with the desktop. If you look at
the salt-minion's service properties there might be an option to enable
"Allow interaction with the desktop" or something like that. You might
try checking that option and restarting the service and seeing if that
works.
>
> Let me know how that goes!
>
>
> On Thu, Nov 14, 2013 at 7:46 AM, ping <mapi...-
Re5JQEeQqe8...@public.gmane.org> wrote:
> And I noticed that the user name of the eclipse.exe in task manager
window is SYSTEM, but not me.
> On Thursday, November 14, 2013 10:08:57 PM UTC+8, ping wrote:Hi every,
i have a linux master and a windows minion and everything is OK. Then I
want to launch an windows application by running a bat script on the
master side.
>
>
> The file is like this: /srv/salt/win/script/autorun.bat
>

> <at> echo off

> start "eclipse" "D:\Program Files\eclipse\eclipse.exe"
> exit
>
>
>
> I run the command
>
> salt "minion-name" cmd.srcipt salt//win/script/autorun.bat
>
> Then I can see eclipse.exe in the task manager window, but no eclipse
UI shows. Why there isn't UI? 
>
> I'm new to saltstack, Could you tell me  the reason? Appreciate any
suggestion. Thanks.
>
>

I believe this problem would be easier dealt with if Salt implemented
"runas" for windows. I've posted an issue for this already. Addition
support may help get this feature implemented quicker.

https://github.com/saltstack/salt/issues/16340

[Markus Kramer]

I support Westons request to implement "runas" for Windows.

I have no need for a graphical user interaction, but need to change the user to interact with a service.
How do I workaround?


Test script

#
# Write the name and home share of the identity that runs the salt-minion locally
#
whoAmI:
  cmd.run:
    - name: "echo %USERNAME% %USERPROFILE%"

whoAmI-change-user:
  cmd.run:
    - user: markus
    - name: "echo %USERNAME% %USERPROFILE%"


Result of script



          ID: whoAmI
    Function: cmd.run
        Name: echo %USERNAME% %USERPROFILE%
      Result: True
     Comment: Command "echo %USERNAME% %USERPROFILE%" run
     Changes:  
              ----------
              pid:
                  3804
              retcode:
                  0
              stderr:
                 
              stdout:
                  MBOX$ C:\Windows\system32\config\systemprofile
----------
          ID: whoAmI-change-user
    Function: cmd.run
        Name: echo %USERNAME% %USERPROFILE%
      Result: False
     Comment: Sorry, Windows does not support runas functionality
     Changes:

[Mike A]

I tried enabling the "Allow interaction with the desktop" but the Interactive Services Detection window keeps on showing. I tried disable that as well but same results.

Anyone here experienced the same thing or willing to help me? 

Thanks! :)

[Mike A]

Anyone here willing to help? :)

[John Simmons]

I know this is incredibly old, but this is the number one post that came up when searching for how to run GUI applications on a windows minion.  The solution if the Interactive Services won't work for you, is to download PSExec, and run the command similar to:

   salt '*' cmd.run "PSExec.exe -accepteula -d -i 1 C:\Path\to\executable"

[Shane Lee]

This is not the way Salt is intended to work. Salt is designed to execute `one off` commands remotely and then return their success. Salt waits for the program it launched to end before returning the result. The problem with programs like notepad (or an installer that pops up a dialog box) is that the salt-minion process will wait for the program to close before returning success or failure. This is a problem when salt is running as a service. The dialog/screen is not shown and the salt-minion process appears to hang. The PSExec alternative could work as long as ithe psexec.exe launches the program and then closes. Salt would then report success.

You could also use `cmd.run_bg` which will launch the executable and just return without verifying that the process ended successfully.

As far as `Runas` on Windows, I believe that was implemented in the 2016.3 branch.

I guess the short answer would be to NOT launch applications that require user interaction with Salt.

[Shane Lee]

All of these options (including PSExec) would still be affected by the salt-minion running as a service. The screen would not be displayed unless the service was allowed to 'interact' with the desktop.