1

I'm trying to understand the difference between how things are executed when running under a NT_AUTHORITY LOCAL SERVICE account that run on startup, vs by the user. I have an executable that spawns a child process running rundll32.exe <SOME DLL NAME HERE>. When I run the exe as a user, or from cli, the DLL is loaded by rundll32.exe and everything works just fine (I'm having it just open calc.exe as an experiment). However, when I restart my machine and the exe is started up by a service, I see in Process Explorer that rundll32.exe is running, with all of the same arguments that I would expect it to spawn, but the results aren't the same, there's no calc.exe process that gets created as a result of the dll being run. What are some things that I need to understand in order to figure out how this is working? And what are some other ways that I can experiment with loading an exe/dll from a service that executes a child process in the same way that a user or cli would?

Edit:

Likewise, I have another exe that I've created that loads a DLL directly (not spawning rundll32.exe and loading it like the above example), and when I click it as a user to run it, the exe loads the DLL and spawns calc.exe. But when the same exe is run from a service, no calc.exe is spawned.

Improve this question
6
  • 1
    I have to assume that the issue is that you are attempting to spawn a process that displays a user interface, as a user that is not interactively logged in and thus has no desktop upon which the window might display. that is not an uncommon issue with application automation tasks.
    – Frank Thomas
    Commented Apr 15, 2023 at 6:10
  • Complement to Frank Thomas answer: instead of launching calc.exe, write a console mode program with no UI and try to run that one from the service. I bet it will work.
    – fpiette
    Commented Apr 15, 2023 at 6:27
  • Original poster here (not sure why it posted as a guest, I thought I was logged in!) Do error dialogs get surpressed as well since they're also visual? I even tried removing the DLL from the directory to see if I could get the rundll32 process that is spawned to throw an error (it throws an error when running from cli, but not from service). Am I able to write a console mode program that gets loaded by rundll32 as a dll? I didn't know that, but I'll look into it and report back.
    – Joshua Terrill
    Commented Apr 15, 2023 at 6:45
  • 1
    Welcome to Super User! It looks like you have created a second account, which will also interfere with your ability to comment within your thread and to accept an answer. See How can one link/merge/combine/associate two accounts/users? and/or I accidentally created two accounts; how do I merge them? for guidance on how to merge your accounts.
    – DavidPostill
    Commented Apr 15, 2023 at 7:33
  • Update for @fpiette and Frank Thomas - tried creating a console mode program that just writes to a file, but I can't seem to load it through rundll32. So I created a bare-bones dll file that only exports one method which writes out to a file, and it works when I run it via CLI myself, but when I restart the service that runs it, the file is never written to. I can see in process explorer that the command is being run the same way I'm running it in cli, but the file still isn't being written to.
    – Joshua Terrill
    Commented Apr 15, 2023 at 7:43

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .