Using smartcards in a service - SCardAccessStartedEvent
Dear all,
Migrating our core development platform to Windows Vista, one of our Windows services using smartcards is failing.
We have debugged the problem and found that the event provided by the function ScardAccessStartedEvent does not receive notification. This event is supposed to signal when the SmartCard Resource Manager starts. As we have a WaitForSingleObject(event,INFINITE), the service hungs.
Testing the same service as an ordinary executable ( registering with -regserver ) I can see it works properly. In XP it works properly both as an executable and service.
I have read something about Service Hardening in Vista and I guess it may be caused by privilege reduction. So, I've created some code to enumerate the existing privileges when the application is launched as an executable and as a service. These are the results:
COMSERVER registered with -REGSERVER
-
PrivilegeName[SeIncreaseQuotaPrivilege]=Disabled
PrivilegeName[SeSecurityPrivilege]=Disabled
PrivilegeName[SeTakeOwnershipPrivilege]=Disabled
PrivilegeName[SeLoadDriverPrivilege]=Disabled
PrivilegeName[SeSystemProfilePrivilege]=Disabled
PrivilegeName[SeSystemtimePrivilege]=Disabled
PrivilegeName[SeProfileSingleProcessPrivilege]=Disabled
PrivilegeName[SeIncreaseBasePriorityPrivilege]=Disabled
PrivilegeName[SeCreatePagefilePrivilege]=Disabled
PrivilegeName[SeBackupPrivilege]=Disabled
PrivilegeName[SeRestorePrivilege]=Disabled
PrivilegeName[SeShutdownPrivilege]=Disabled
PrivilegeName[SeDebugPrivilege]=Disabled
PrivilegeName[SeSystemEnvironmentPrivilege]=Disabled
PrivilegeName[SeChangeNotifyPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeRemoteShutdownPrivilege]=Disabled
PrivilegeName[SeUndockPrivilege]=Disabled
PrivilegeName[SeManageVolumePrivilege]=Disabled
PrivilegeName[SeImpersonatePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateGlobalPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseWorkingSetPrivilege]=Disabled
PrivilegeName[SeTimeZonePrivilege]=Disabled
PrivilegeName[SeCreateSymbolicLinkPrivilege]=Disabled
COMSERVER registered with -SERVICE
--
PrivilegeName[SeAssignPrimaryTokenPrivilege]=Disabled
PrivilegeName[SeLockMemoryPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseQuotaPrivilege]=Disabled
PrivilegeName[SeTcbPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSecurityPrivilege]=Disabled
PrivilegeName[SeTakeOwnershipPrivilege]=Disabled
PrivilegeName[SeLoadDriverPrivilege]=Disabled
PrivilegeName[SeSystemProfilePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSystemtimePrivilege]=Disabled
PrivilegeName[SeProfileSingleProcessPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseBasePriorityPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreatePagefilePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreatePermanentPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeBackupPrivilege]=Disabled
PrivilegeName[SeRestorePrivilege]=Disabled
PrivilegeName[SeShutdownPrivilege]=Disabled
PrivilegeName[SeDebugPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeAuditPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSystemEnvironmentPrivilege]=Disabled
PrivilegeName[SeChangeNotifyPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeUndockPrivilege]=Disabled
PrivilegeName[SeManageVolumePrivilege]=Disabled
PrivilegeName[SeImpersonatePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateGlobalPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseWorkingSetPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeTimeZonePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateSymbolicLinkPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
Do you have any idea about this strange behaviour of ScardAccessStartedEvent function?
Thanks in advance
