From: Richard Hartman [rhartman@realresume.com] Sent: Tuesday, August 17, 1999 9:15 PM To: Blair Murri Cc: 'ntdev@atria.com' Subject: RE: [ntdev] NT Services and their environment At 06:56 PM 08/17/1999 -0600, Blair Murri wrote: > GetTempPath reports the value of TMP or TEMP environment vars, and >returns the windows directory if neither of these is found. For all users, >with default installations of NT, both of these are set on a per-user basis >by including them in the user's hive, and these are read out of the users >hive and set when WinLogon and GINA.DLL are setting up the user's shell. I >don't know if services have the luxury of having their hive loaded, but they >certainly don't have the per-user environment vars setup. Agreed, but I thought there would be a system-level variable for this. Apparently not, so it defaults to %SystemRoot%. Nasty. I'll try setting it as a System Environment variable and see if that affects the LocalSystem account. >> 2) The service is denied access to the windowstation and desktop objects >> "winsta0" and "default".... > This is "by design". You need to add the user-instance token that >the service has to the permissions list of the windowstation and desktop >objects, allowing all permissions, for that to work. Open them for the >minimum permissions needed to change the DACL, change it, then try again. You're thinking of the flag which can be passed to CreateService(), correct? The docs suggest that it only works for the LocalSystem account; I'm beginning to suspect it may not be possible to give a non-LocalSystem account access to the winstation and desktop. When the process is created, its parent (the operating system) would have to explicitly grant access to both objects - it's not something that the process can do for itself because it won't have DACL access. The docs seem to suggest that the operating system is willing to do that only for the LocalSystem account. RLH - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ To unsubscribe, send email to ntdev-request@atria.com with body UNSUBSCRIBE (the subject is ignored). ]