Page 1 of 2 12 LastLast
Results 1 to 5 of 9

Thread: Security operations (LSA)

  1. #1
    Join Date
    Nov 2012
    Posts
    19

    Security operations (LSA)

    I need to set a local account right. This uses the advapi32 LsaOpenPolicy(), LookupAccountNameA(), and LsaAddAccountRights().

    I cannot figure out how to accurately prototype and use these functions. I've gone through a couple of incantations, but am stymied by the very first method LsaOpenPolicy() -- the behavior is that upon making the invocation, instead of returning, the function that contains this code is exited -- if I didn't know any better, I would suspect the invocation gets an exception, trapped by IS and then cleans up. So I have very little visibility as to what is going on.

    This is being done inside a Basic MSI project.

    The prototypes (currently) look like this:

    Code:
    prototype LONG AdvApi32.LookupAccountNameA(BYREF STRING, BYREF STRING, BYREF STRING, BYREF INT, BYREF STRING, BYREF STRING, BYREF INT);
    prototype LONG AdvApi32.LsaAddAccountRights(POINTER, BYREF STRING, POINTER, LONG);
    prototype LONG AdvApi32.LsaClose(POINTER);
    prototype LONG AdvApi32.LsaOpenPolicy(BYREF STRING, POINTER, LONG, POINTER);
    The invoking code (currently) looks like this:

    Code:
            nvOSResult = LsaOpenPolicy(IS_NULLSTR_PTR, &array, POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES, &pPolicy);
            if (nvOSResult == 0) then 
                szSIDsize = 255;
                // lookup on local machine -- this *might* have to change?
                nvOSResult = LookupAccountNameA(IS_NULLSTR_PTR, szUsername, szSID, szSIDsize, IS_NULLSTR_PTR, IS_NULLSTR_PTR, szUse); 
                if (nvOSResult != 0) then
                    unicode(0) = "SeServiceLogonRight";
    		        nvOSResult = LsaAddAccountRights(pPolicy, szSID, unicode, 1);
    		        if (nvOSResult != 0) then
    		            _Logger(hMSI, methodName, "Failed to add service logon rights", INFORMATION, FALSE);
    		        endif;
    		    else 
    		        _Logger(hMSI, methodName, "Failed to lookup account name to establish service logon rights", INFORMATION, FALSE);
                endif;
                LsaClose(pPolicy);
            else
                _Logger(hMSI, methodName, "Failed to open the LSA policy to establish service logon rights", INFORMATION, FALSE);
            endif;
    If anyone has had any success or experience with any of the LSA functions, please show me the way!

    Thanks,

    Wim

  2. #2
    Join Date
    Nov 2012
    Posts
    19

    Spent time on phone with support

    ... and they gave me a link to how to get the current username:

    http://kb.flexerasoftware.com/selfse...rnalId=Q105753

    This didn't work either (and it looks so simple -- can anyone get the above to work?). I get the same kind of result -- the custom action terminates -- no other notification, no error, no ability to catch an exception.

    Does any one know how one might go about debugging this?

    Regards,

    Wim

  3. #3
    Join Date
    Nov 2012
    Posts
    19

    I might as well keep talking to myself

    I was able to catch the exception on GetUsernNameA() -- 80040703 which "Failed to find DLL function". Since http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx tells me GetUserName() (and it's ASCII variant) is in advapi32.dll --what gives? Is the linkage incorrect?

    The DLL definition is:

    BOOL WINAPI GetUserName(
    _Out_ LPTSTR lpBuffer,
    _Inout_ LPDWORD lpnSize
    );


    And using the prototype:

    prototype BOOL Advapi32.GetUsernNameA(BYREF STRING, BYREF NUMBER);
    and
    prototype BOOL Advapi32.GetUsernNameA(BYREF STRING, BYREF INT);

    both fail with the same exception.

    Please help me stop talking to myself.

    Wim

  4. #4
    Join Date
    Nov 2012
    Posts
    19
    So I removed the "sample" code provided in the KB article. And simply forged ahead with LsaOpenPolicy().

    My prototype is:

    Code:
    prototype INT Advapi32.LsaOpenPolicy(BYREF WSTRING, POINTER, INT, POINTER);
    And the windows definition is:

    Code:
    NTSTATUS LsaOpenPolicy(
      _In_     PLSA_UNICODE_STRING SystemName,
      _In_     PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
      _In_     ACCESS_MASK DesiredAccess,
      _Inout_  PLSA_HANDLE PolicyHandle
    );
    When I execute, I get an exception 0x80020005 -- which in "type mismatch". My call is actually:

    Code:
        POINTER pPolicy;
        LONG array(12);
        INT i;
    
    ...
    
        i = POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES;
        nvOSResult = LsaOpenPolicy(IS_NULLSTR_PTR, array, i, pPolicy);
    Anyone have an idea which type is mismatching?

    Thanks,

    Wim

  5. #5
    Join Date
    Jul 2003
    Location
    Austin, TX
    Posts
    4,403
    This is a lot easier in C#:

    http://blog.iswix.com/2008/09/differ...e-problem.html


    That said, it's even either if you use WiX to create a merge module that has the component for your service. (Assuming this is an MSI project) WiX has built in support for granting a service account the logon as service right. It fits into an InstallShield MSI quite nicely.
    Christopher Painter
    ISWIX, LLC.
    Visit iswix.com for contact information

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •