> to make things clear, how to check if a Win32 exe is currently running
> as a NT service:
> 1.) Check if the SID (security ID) of the current process is "S-1-5-18",
> i.e. the so called LOCALSYSTEM account. This changes if you configure
> your service (in the services control panel) to run on a different
> account.
> 2.) Check if the parent process of your service is "services.exe", the
> service control manager.
> 3.) Check if the parent process of this parent process is
> "winlogon.exe".
There is more reliable way. For example.
GetDesktopWindow(); /* yes, return value is ignored */
h = GetProcessWindowStation();
if (h==NULL) fatal error; /* or return "runs as service" */
if (GetUserObjectInformationW (h,UOI_NAME,NULL,0,NULL,&len) ||
GetLastError() != ERROR_INSUFFICIENT_BUFFER)
fatal error; /* or return "runs as service" */
WCHAR *str=(WCHAR *)_alloca(len+sizeof(WCHAR));
GetUserObjectInformationW (hws,UOI_NAME,str,len,&len);
str[len/sizeof(WCHAR)]=L'\0'; /* paranoia */
if (wcsstr(str,L"Service-0x"))
return "runs as service";
else
return "runs interactively"; /* includes services interacting with
real winstation[s] */
As for "fatal error." If returning "runs as service" triggers most
conservative code path, then one can as well return "runs as service."
As for "includes services interacting with real winstation[s]." By the
time such service starts, it's most likely already ok to make the call
guarded by this isservice function. Otherwise I can think of some finer
way... Another problem might be that desktop in question is hidden and
therefore does not "contain" any entropy, if we ougth to look at things
like top-most window and cursor position...
A.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
