In other words, this test cannot work in all cases based upon the knowledge of the OpenSSL developers because the account under which the program executes is determined by the local system administrator OR the application developer.
All three of these tests would fail for my use of OpenSSL in Kermit. The parent process is an INETD equivalent and the SID is recommended to be an account with restricted privileges. Kermit (being a network service for remote users) also changes the account of the process to that of the logged in end-user was authentication is complete.
Now that we know how to fix the ToolHelp32 API to work on NT4 (use Unicode only) we can walk the process list and check all parents until we find either "services.exe" or "winlogon.exe". If we find "winlogon.exe" we know we are not a service. If we find "services.exe" we know we are a service. If we are in limbo we can check for the Local System account. If we find that we can assume we are a service. If we are still in limbo we would need to not attempt to use tests which might fail if running as a service.
- Jeff
Ingo A. Kubbilun wrote:
Hi,
to make things clear, how to check if a Win32 exe is currently running as a NT service: 1.) Check if the SID (security ID) of the current process is "S-1-5-18", i.e. the so called LOCALSYSTEM account. This changes if you configure your service (in the services control panel) to run on a different account. 2.) Check if the parent process of your service is "services.exe", the service control manager. 3.) Check if the parent process of this parent process is "winlogon.exe".
I always use all three checks (a little bit paranoid) but it is sufficient to check the SID. You can bypass the 2nd and 3rd checks by passing NULL, thus:
IsService(NULL,NULL,"<SID string>")
At least, the 3rd parameter must be fixed at link time or check #1 will fail at run time. Just pass the same SID that you are using in the installation procedure of your service. The default account is always LOCALSYSTEM. As an alternative, you can just check if the parent process of your process is "services.exe", the Service Control Manager. All NT services run on behalf of the SCM. This is static on all Windows versions running services.
Rgs, Ingo.
smime.p7s
Description: S/MIME Cryptographic Signature
