Using smartcards in a service - SCardAccessStartedEvent
Dear all,
Migrating our core development platform to Windows Vista, one of our Windows services using smartcards is failing.
We have debugged the problem and found that the event provided by the function ScardAccessStartedEvent does not receive notification. This event is supposed to signal when the SmartCard Resource Manager starts. As we have a WaitForSingleObject(event,INFINITE), the service hungs.
Testing the same service as an ordinary executable ( registering with -regserver ) I can see it works properly. In XP it works properly both as an executable and service.
I have read something about Service Hardening in Vista and I guess it may be caused by privilege reduction. So, I've created some code to enumerate the existing privileges when the application is launched as an executable and as a service. These are the results:
COMSERVER registered with -REGSERVER
-
PrivilegeName[SeIncreaseQuotaPrivilege]=Disabled
PrivilegeName[SeSecurityPrivilege]=Disabled
PrivilegeName[SeTakeOwnershipPrivilege]=Disabled
PrivilegeName[SeLoadDriverPrivilege]=Disabled
PrivilegeName[SeSystemProfilePrivilege]=Disabled
PrivilegeName[SeSystemtimePrivilege]=Disabled
PrivilegeName[SeProfileSingleProcessPrivilege]=Disabled
PrivilegeName[SeIncreaseBasePriorityPrivilege]=Disabled
PrivilegeName[SeCreatePagefilePrivilege]=Disabled
PrivilegeName[SeBackupPrivilege]=Disabled
PrivilegeName[SeRestorePrivilege]=Disabled
PrivilegeName[SeShutdownPrivilege]=Disabled
PrivilegeName[SeDebugPrivilege]=Disabled
PrivilegeName[SeSystemEnvironmentPrivilege]=Disabled
PrivilegeName[SeChangeNotifyPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeRemoteShutdownPrivilege]=Disabled
PrivilegeName[SeUndockPrivilege]=Disabled
PrivilegeName[SeManageVolumePrivilege]=Disabled
PrivilegeName[SeImpersonatePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateGlobalPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseWorkingSetPrivilege]=Disabled
PrivilegeName[SeTimeZonePrivilege]=Disabled
PrivilegeName[SeCreateSymbolicLinkPrivilege]=Disabled
COMSERVER registered with -SERVICE
--
PrivilegeName[SeAssignPrimaryTokenPrivilege]=Disabled
PrivilegeName[SeLockMemoryPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseQuotaPrivilege]=Disabled
PrivilegeName[SeTcbPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSecurityPrivilege]=Disabled
PrivilegeName[SeTakeOwnershipPrivilege]=Disabled
PrivilegeName[SeLoadDriverPrivilege]=Disabled
PrivilegeName[SeSystemProfilePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSystemtimePrivilege]=Disabled
PrivilegeName[SeProfileSingleProcessPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseBasePriorityPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreatePagefilePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreatePermanentPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeBackupPrivilege]=Disabled
PrivilegeName[SeRestorePrivilege]=Disabled
PrivilegeName[SeShutdownPrivilege]=Disabled
PrivilegeName[SeDebugPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeAuditPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSystemEnvironmentPrivilege]=Disabled
PrivilegeName[SeChangeNotifyPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeUndockPrivilege]=Disabled
PrivilegeName[SeManageVolumePrivilege]=Disabled
PrivilegeName[SeImpersonatePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateGlobalPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseWorkingSetPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeTimeZonePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateSymbolicLinkPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
Do you have any idea about this strange behaviour of ScardAccessStartedEvent function?
Thanks in advance
Dear all,
Migrating our core development platform to Windows Vista, one of our Windows services using smartcards is failing.
We have debugged the problem and found that the event provided by the function ScardAccessStartedEvent does not receive notification. This event is supposed to signal when the SmartCard Resource Manager starts. As we have a WaitForSingleObject(event,INFINITE), the service hungs.
Testing the same service as an ordinary executable ( registering with -regserver ) I can see it works properly. In XP it works properly both as an executable and service.
I have read something about Service Hardening in Vista and I guess it may be caused by privilege reduction. So, I've created some code to enumerate the existing privileges when the application is launched as an executable and as a service. These are the results:
COMSERVER registered with -REGSERVER
-
PrivilegeName[SeIncreaseQuotaPrivilege]=Disabled
PrivilegeName[SeSecurityPrivilege]=Disabled
PrivilegeName[SeTakeOwnershipPrivilege]=Disabled
PrivilegeName[SeLoadDriverPrivilege]=Disabled
PrivilegeName[SeSystemProfilePrivilege]=Disabled
PrivilegeName[SeSystemtimePrivilege]=Disabled
PrivilegeName[SeProfileSingleProcessPrivilege]=Disabled
PrivilegeName[SeIncreaseBasePriorityPrivilege]=Disabled
PrivilegeName[SeCreatePagefilePrivilege]=Disabled
PrivilegeName[SeBackupPrivilege]=Disabled
PrivilegeName[SeRestorePrivilege]=Disabled
PrivilegeName[SeShutdownPrivilege]=Disabled
PrivilegeName[SeDebugPrivilege]=Disabled
PrivilegeName[SeSystemEnvironmentPrivilege]=Disabled
PrivilegeName[SeChangeNotifyPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeRemoteShutdownPrivilege]=Disabled
PrivilegeName[SeUndockPrivilege]=Disabled
PrivilegeName[SeManageVolumePrivilege]=Disabled
PrivilegeName[SeImpersonatePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateGlobalPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseWorkingSetPrivilege]=Disabled
PrivilegeName[SeTimeZonePrivilege]=Disabled
PrivilegeName[SeCreateSymbolicLinkPrivilege]=Disabled
COMSERVER registered with -SERVICE
--
PrivilegeName[SeAssignPrimaryTokenPrivilege]=Disabled
PrivilegeName[SeLockMemoryPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseQuotaPrivilege]=Disabled
PrivilegeName[SeTcbPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSecurityPrivilege]=Disabled
PrivilegeName[SeTakeOwnershipPrivilege]=Disabled
PrivilegeName[SeLoadDriverPrivilege]=Disabled
PrivilegeName[SeSystemProfilePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSystemtimePrivilege]=Disabled
PrivilegeName[SeProfileSingleProcessPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseBasePriorityPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreatePagefilePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreatePermanentPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeBackupPrivilege]=Disabled
PrivilegeName[SeRestorePrivilege]=Disabled
PrivilegeName[SeShutdownPrivilege]=Disabled
PrivilegeName[SeDebugPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeAuditPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeSystemEnvironmentPrivilege]=Disabled
PrivilegeName[SeChangeNotifyPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeUndockPrivilege]=Disabled
PrivilegeName[SeManageVolumePrivilege]=Disabled
PrivilegeName[SeImpersonatePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateGlobalPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeIncreaseWorkingSetPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeTimeZonePrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
PrivilegeName[SeCreateSymbolicLinkPrivilege]=SE_PRIVILEGE_ENABLED+SE_PRIVILEGE_ENABLED_BY_DEFAULT
Do you have any idea about this strange behaviour of ScardAccessStartedEvent function?
Thanks in advance
Hi,
I've been working on the issue and I almost discard anything to do with Privileges.
Using SysInternals Process Explorer to explore event handles received by our application in return for ScardAccessStartedEvent in both XP and Vista, I've noticed relevant differences.
In XP case, our application receives a '\BaseNamedObjects\Microsoft Smart Card Resource Manager Started' while in Vista, we receive a '\BaseNamedObjects\TermSrvReadyEvent'. Therefore, it is normal that our application gets hunged while waiting for the event as it is a DIFFERENT event!
I've also noticed that, in Vista, Windows smartcard component is hosted ( loaded in svchost.exe ) instead of the being deployed in scardsvr.exe.
Does anyone know what's happening here? I can do a workaround waiting for the new event by its name to solve the problem but I would expect a "documented solution" for the issue.
Thanks in advance
