Where my user certificates are installed when doing it under a windows service?


I am trying to add certificates into a certificate store for current logged in user. All these must be done under a service (run with LocalSystem account). The problem I faced is that (although debugged the service source code successfully) when I check the certificate store using MMC (Microsoft management console), none of my certificates could be found. I searched through all the instances of certificate stores (current user, current service and
local machine).
I tested the part of code responsible for installing certificates into the intended store, using another normal Windows MFC test application and all the things worked OK!.

The important functions I used in my service are: CertAddcertificateContextToStore and CertOpenStore. I examined various options for important 'dwFlags' parameter of 'CertOpenStore' function according MSDN, but in no case I did find the certificates. I even checked the MSDN referred paths in the registry, pertinent to certificate store locations.

Use a separate process which runs under currently logged on user and launch it from windows service. You must use something like CreateProcessAsUser() or CreateProcessWithTokenW() to launch it.

Not tested, but you should also check ImpersonateLoggedOnUser() function if you don't want a separate process:

Thank you modoran

But, how we can get the current logged-in user when we are in the context of another user (here LocalSystem) in the service. This is not easy to find and I checked the internet to find an answer for it, but I failed.
Under the service, all the things change and even the 'HKEY_CURRENT_USER' in the registry refers to the new user context.
This is my main problem, and until I can't find an understandable answer for it, I can not continue. After that, we should find a way to produce or retrieve a token handle assigned to the current user to be able to use the aforementioned functions for creating processes.
It is surprising for the 'Certificate Propagation' service from Windows that does this for current user. But the way behind this service is unclear, at least, for me.

The steps are this:
1 . Get a primary process (OpenProcessToken) - usually explorer.exe or winlogon.exe is the best candidate.
2. Create a primary copy of this token (DuplicateTokenEx)
3. Modify session id of the replica (SetTokenInformation).
4. Create a new temporary process using that token with CreateProcessAsUser.

Read this for more information:



Topic archived. No new replies allowed.