#PowerShell message box while being ran as a service

Hi guys! I am in need of some help and before posting my code, I am not a PS coder, I am able to understand the code well, but most of it is AI generated, tested and after adjusted to my needs. I use NSSM to run a Batch file as a service that starts a PowerShell file that at some point is going to display a message box, however since it's being started from a no UI window, the message box pretty much never displayed. I got it to work after some time, but currently I have a problem that when it's ran as a service, half of the message box's content just get's straight up cut off.

The msgbox content is like A threat was found in {filename} (PID: {pid}) accesing unknow and then it doesn't print any of the other stuff that it's supposed to. The second line and reminder are totally skipped. Any ideas how to fix this issue? Thanks!

code was too long, so here is it as an attachment

Well write the msgbox data to a file.

You can’t expect gui elements from a service. What account is the service running under too?

You'd have to run something in the users interactive session, start a different process.

A scheduled task could be used to do that so it's certainly possible. I'd be inclined to look and see if BurntToast does this kind of thing too.

NT AUTHORITY\SYSTEM

I tried to before, but it would never show up unless it was not ran by the service

If I ran normally from command line, it would work just fine, but as soon as it's ran by service it wouldn't show

yeah so that isn't your local user right so you wouldn't see it and i don't know if there is any scenario where you can get a pop-up gui msg from a service.

you do not use a msg box. you write the logging data into a file on disk.

it's where you'd start hitting WCF if it were something real. A dirty hack would be that scheduled task in the users interactive process. Rubbish security boundary around the service though.

but then it's running as SYSTEM, so...

I managed to do it now, but the messagebox acts weird and somehow half of the content it's supposed to display is being cut off

that means there has to be a second file running and monitoring the data written in the file?

but why? just write the log to a file like every other service running...

no, just do whatever action you want to do when the log action happens. why do you need a separate process checking a msgbox or a file?

I don't understand what you meant by that before

what logging data is supposed to be written into a file?

why have the msgbox? what does the msgbox do?

i guess step back. what is in the msgbox. I'm making some assumptions.

messagebox needs to be displayed to get user answer in the direct moment

so then do what chris says above I suppose.

what is wcf?

what info do you need from them?

windows communication foundation

there are atm 3 buttons on the msgbox, then the file does actions depending on what button was pressed

for what? what is the action? why can't they just trigger this app from the desktop? why does it have to be a service?

in order to prevent termination it has to run as a service

and what is it asking them? there might be a better way.

the file monitors WMI for new processes, they are after checked for digital signature by sigcheck, if unsigned they are checked for virustotal verdicts, if above 0, they are suspended and that's when the msgbox asks them if they would like to allow/terminate the process

It all works perfect currently, but the problem is

   $line2 = "Detection $Ratio percent ($Detections of $TotalAVs)"
   $reminder = "`r`nYes=Allow  No=Terminate  Cancel=Exclude"```
displays pretty much only line 1, no line2/reminder

why not just use app locker or wdac? I would also try looking at https://psappdeploytoolkit.com/ as they have prompts in the user context.

this doesn't really tell me how it is written to the msgbox or screen.

but again, try a scheduled task like it was said above.

i think you are getting into wrong tools for the job territory.

# ==============================
# WTSSendMessage Implementation
# ==============================
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;

public class WtsUtils
{
    [DllImport("kernel32.dll", SetLastError=true)]
    public static extern uint WTSGetActiveConsoleSessionId();

    [DllImport("wtsapi32.dll", SetLastError=true, CharSet=CharSet.Auto)]
    public static extern bool WTSSendMessage(
        IntPtr hServer,
        int SessionId,
        string pTitle,
        int TitleLength,
        string pMessage,
        int MessageLength,
        int Style,
        int Timeout,
        out int pResponse,
        bool bWait
    );
}
"@

function Get-ActiveSessionId {
    $sessionId = [WtsUtils]::WTSGetActiveConsoleSessionId()
    if ($sessionId -eq 0xFFFFFFFF) {
        Write-Warning "No active console session found"
        return $null
    }
    return [int]$sessionId
}
˙```

Show-ThreatDialog -FileName $processName ` -ProcessId $processId ` -AccessedProcess "unknown" ` -Ratio $ratio ` -Detections $($vtResult.Detections) ` -TotalAVs $($vtResult.TotalAVs) ` -ExecutablePath $executablePath

will try

this still doesn't show how WTSSendMessage is called. are just passing in WTS_CURRENT_SERVER_HANDLE for hserver?

should be this i'm pretty sure

        [IntPtr]::Zero,
        $sessionId,
        $title,
        $title.Length,
        $fullMessage,
        $fullMessage.Length,
        $style,
        $timeout,
        [ref]$response,
        $true
    )```

have you read this? https://stackoverflow.com/a/24212241

no, I read few others but didn't check this one

i mean this is on the tip of my knowledge so maybe someone with more knowledge of these win32 apis can come in and help. there are just many layers to this. nssm and the bat file and the c# and you are only giving fragments of what you have.

i'm going to take a look at that after I get home

however I still don't understand why is only half of the messagebox shown

I probably would just go with the half msgbox instead of digging in this deeper

it is the full msgbox outside the service?

if the service runs as system, will it even have an active session? I would assume you would have to enumerate all the sessions and find the active user's session.

have you tried running the service as your own account?

I'm not 100% sure but i'd put my hand in a fire that yes

Will check once i'm home

now maybe WTSGetActiveConsoleSessionId does what i am talking about.

looks like this is feature of windows. I didn't realize that originally. my bad. I would read this as maybe it can give you more hints. https://learn.microsoft.com/en-us/windows/win32/services/interactive-services

learned something new. apologies if I came off rude. was just trying to help ultimately and learn something.

that's alright man, ty for trying

regardless of what I was doing before, why is this limited to 9 characters in the title?

it is a good question.

presumably you'd have a dword of len for title and message.
https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtssendmessagea

[string] .Length property doesn't return bytes though.
https://learn.microsoft.com/en-us/dotnet/api/system.string.length?view=net-9.0

Doesn't seem like it would matter because one char can be one byte but I'd convert to byte array and then count that.

I genuinely feel like this is some kind of bug

        $fullMessage   = "$FileName Detection: $Ratio ($Detections/$TotalAVs) ------------------------------------------------------------------"```

if I do this, it's able to display around 20 chars each

which is pretty weird

@tiny quartz nah ahahah this is so weird, the longer the title is the longer it allows the message itself to be

oh yeah so it is related to the size of the box. You have to pad the title it seems and muck around with it. feature not a bug. 😉

it also looks like you can create your own message box. https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox Oh nvm. Looks like you will have to just introduce padding.

There’s a PS module called AnyBox that can be useful for message boxes and user prompts/interactions if that’s what you mean

But idk anything about running things as services and stuff so probably not gonna be helpful to you in this case lol

cool program, but that wouldn't work if being ran from a service

Yeah I assumed so

Good luck with your project if it wasn’t already solved

This specific problem was solved, but there's quite alot of stuff I still need to come up with and make them a reality 😄 Thanks!

@lusty parcel @tiny quartz after the hassle, I decided to try the scheduled task running with interactive mode and that indeed seems like the best idea. Thanks for taking the time and research!

https://www.lucd.info/2018/08/05/message-to-all-users-and-their-reply/

This post has the right code for WTSSendMessage

Oh, you got the types wrong in your DLLImport definition, you need some MarshalAs help

That one fixes your cutoff problem

But I'm having a quiet, boring Saturday, so I got a little carried away

nice. thanks for checking in on that . interesting.

how did you know you needed MarshalAs ? is there something from the docs on WTSSendMessage ? i've been reading about blittable types and it appears DWORD is blittable between mananged and unmanaged code? https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtssendmessagew Or can't you use the C# Uint64?

Honestly, two things ...

1. The error was obviously because things weren't marshalling properly

2. I searched for PInvoke WTSSendMessage and found the article I linked earlier, I assumed Luc didn't blog it if it didn't work, so I just copied his signature for the method, and it worked.

https://pinvoke.net/default.aspx/wtsapi32/WTSSendMessage.html
^ in my experience, you can almost always trust these, since it's a wiki, and when we find ones that don't work, we fix them.

interesting. I've seen int work without MarsalAs with https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsenumeratesessionsexw for instance.

You put too much faith into PInvoke.net 🙂

oh i forgot about this site...

jordan do you when the marshalas comes into play on dword or the like?

Depends, I'm usually explicit when it comes to string parameters because trying to understand the default logic does not pass the 2am test

I assume ctypes takes it into account too?

The new LibraryImport generator now requires you to explicitly tell it what string marshaling method to use which is nice

Basically what I do with PInvoke defs

• Make sure I specify the W or A suffix on the function name to be explicit in what I want to call
• Make sure CharSet is to set Unicode or Ansi to be explicit

and in that I 99% of the time favour the W APIs and a Unicode CharSet

Side note, https://github.com/microsoft/CsWin32 should be the best way, but I still trust pinvoke.net the most
I do not trust p-invoke.net which was basically generated, and in this case shows the original code had, which didn't work 😉

pinvoke.net just has a lot of sub-optimal code. Because it's a wiki people of various skill levels have contributed to it and thus has various levels of code quality

i see that pattern now in the previous pinvokes you've written for me.

For example with https://pinvoke.net/default.aspx/wtsapi32/WTSSendMessage.html in question, it is not explicit at all in the string marshaling handling leaving you to rely on the defaults which is difficult to understand/remember

Yeah, since you're calling from .NET you basically always need to use W and Unicode

Plus I dont know how a site like this still hasn't fixed up that sidebar problems, it's been there for years

so IntPtr doesn't need the MarshalAs attribute because it is blittable?

PInvoke.net is also super slow

Yep, IntPtr is blittable but using that with string parameters means you need to manually handle the copies and marshaling

yeah it has lots of janky results and ads. 🙂

Using the attribute MarshalAs attribute with string causes more manually handling or you mean the reverse?

Using IntPtr requires you to manually marshal things

oh right, that is just the nature of it if that is the parameter out or in, right?

While strings are not blittable (without using "unsafe" code), relying on .NET to marshal them is a lot easier than doing it yourself which means annotating with MarshalAs or using the CharSet field in DllImport

Blittability comes from how the managed type's memory of that value is the same in unmanaged land, for example an int in C# is 4 bytes of data which is the same as most ints in C functions so you can safely pass it using pointers. Whereas other types you typically need to copy it from a managed object to the raw un managed bytes and provide a pointer to the functions

and also, technically, this definition can be done more explicitly?

        [DllImport("Wtsapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
         private static extern bool WTSEnumerateSessionsExW(
             IntPtr hServer,
             ref int pLevel,
             int Filter,
             out IntPtr ppSessionInfo,
             out int pCount);

Basically when it is blittable C# can just pass the pointer to the internal memory that backs the value

right so you don't need the MarshalAs but with DWORD one can be more explicit using that attribute.

Yea you can, I typically only do so if I know the C type is a different size than the C# type I specified it as

ok so there are implementation details like in this instance with the message function where the marshaling can break if you don't specify the attribute.

For strings, blittability doesn't really come into play (at least not without "unsafe" code), it's more a question of how C# passes that string value to the underlying C call

do you actually need the "Ex" version of that?

yeah I use it in my function which replaces quser. unfortunately there isn't any other way. folks either use the win32api or string parse quser.

I think it's more a question does the Ex function expose extra functionality you can't get out of the non Ex one

Do you have insight into why WTSSendMessage data was cut off? it comes down to the marshal attribute? it seems like there isn't a way to know when int will work with and without MarshalAs?

It does look like the Ex one does provide more data in the structure/level it works with

I haven't really looked too far back but it could by either the marshaling problem (I don't think it is or else the strings would probably be junk data or null spaces).

oh yeah I see what you mean. maybe I can be good with WTSEnumerateSessions

I was only asking because in the example from the OP, they really only needed the ID of the current active user

My guess is it's a problem with the session isolation and trying to display a message box on another session that isn't yours

Depends on what you want, the Ex call gives you an array of https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/ns-wtsapi32-wts_session_info_1w

yeah that was my original thought but it seems like that api is designed with services in mind in some instances.

(which is almost always just 1)

The non Ex one is https://learn.microsoft.com/en-us/windows/win32/api/wtsapi32/ns-wtsapi32-wts_session_infow which is just the id and station name, no username, etc

Yeah it is the username I want

I think the WTSSendMessage was wrong because of the SessionId

but maybe because of the others being unsigned

Then you need the Ex call 🙂

The thing that bothers me, btw. ...

All of those ints are DWORD in the method sig

Yes which is confusing me!

But the (working) method signature I found is doing one as I4 and the others as U4

so wrong docs?

I suspect they could all be U4

eh technically a DWORD is unsigned but they all end up being the same thing

it's easier to just deal with an int and not worry about the signed bit

and it would only matter if the sessionid was actually too large

evne then it doesn't matter if you get the session id using a int signature because the underlying bytes are the same

so we are back to does the MarshalAs really matter in this case?

it doesn't, well not for the int values

Uh, it does

Because without it, it doesn't work ... and we didnt' specify it for the strings

:-p

yes. hehe. that is the confusion.

Granted I haven't looked into the original issue but if you get the active session id using an int and not uint then the important bit is you specify the call with an int

did you play around with removing one or the other of the attributes to see what did it?

specify the call with a uint right? or well int i guess because it is specified that way.

If the raw value was 0xFFFFFFFF then it's just -1 as an unsigned value and thus translates properly back. Even then I think if you swap and change them it won't matter as much because it's going to be the same raw bytes, the int vs uint side is how C# represents them to the end user

The important thing is the size of the integer is right. 99% of the time you are best just keeping it all signed (so int not uint) as that's the default integer type used in C#. Even then I cannot think of that 1% scenario where it really matters too much

Well without that attribute I think the issue was the message was cut off.

shrug

Strings are a bit different, you technically don't need the MarshalAs attribute, it might be nice to be explicit though. I don't know what Jaykul is saying it fixes because if you mix and match Ansi vs Unicode you either get garbled chinese characters or null bytes in the strings

Also maybe ignore me, I haven't read the full history of this thread, just saying what I know when it comes to PInvoke calls

Ok, I think I figured it out, and it wasn't the marshalas

I started commenting those out and couldn't repro the problem

Surprise 🙂 Having the CharSet.Auto on there automatically adds the MarshalAs attribute to the string arguments. IIRC Auto means LPWStr on Windows.

Yeah the thread is big with all my guesses and waffling about. 😉

Interesting. I’m on mobile. Is that how the method is defined?

IIRC Auto means LPWStr on Windows.
What I don't know is if Auto changes based on whether the A or W suffix is used

Way in the OP it was, not sure if it changed over the thread

Basically, what worked (without marshal) is to use WTSSendMessageA and CharSet.Ansi

That's what the code I posted above is doing (non-explicitly)

That sounds weird, the W API and Unicode results in it being trimmed?

If I explicitly put

    [DllImport("wtsapi32.dll", EntryPoint = "WTSSendMessageW", SetLastError = true, CharSet = CharSet.Unicode)]
    static extern bool WTSSendMessage(

Then I have to use .Length * 2 for the string length parameters

oh yea that makes sense then

if the length params are for bytes

Yeah 😄

I mean, it's a pain in the neck, but it totally makes sense 🙂

Ohh that is the additional nuance.

That's what I originally assumed the problem was

Yea some APIs accept char length vs byte length

I did mention converting to byte array and counting. Would that work too?

you gotta make sure you use the proper one because it matters for WSTR

But then ... the code from Luc "just worked" so I didn't dig any further

If you used the proper encoding yes

to be clear, it's totally documented

[in] pTitle

A pointer to a null-terminated string for the title bar of the message box.

[in] TitleLength

The length, in bytes, of the title bar string.

Dang that is my original path of thinking!

Oh that is right. So what is more accurate the byte array count with encoding or length times two?

when you provide it as a byte array (string encoded to bytes) then you have the length of the array

Well you’d pass the count of bytes in this case.

when you are providing it as a string you need to deal with how large that string is when encoded. For a Unicode/Wide String function, that's essentially the .NET char count * 2

I guess I’m just asking is string length times two good enough?

For the Unicode one yea

Encoding.UTF8.GetByteCount( is the right solution, btw, not just doubling it 😉

for the Ansi one no because the strings will be encoded with a single byte encoding

Encoding.Unicode

Which in .NET is equal to $string.Length * 2

Yeah, match whatever you put in CharSet 😛

And to ensure you can handle non-ASCII chars you essentially need to use the Unicode/W APIs

yeah, exactly

Would emojis still work in both methods?

Technically the A ones support UTF-8 but it needs the manifest entyr which you can't control in powershell

Only if the UTF-8 locale is set which see above ^

Honestly, the ANSI methods will ... almost always not work from PowerShell

unless you're using ANSI characters

I think

So unless you control the exe you should use the Unicode/W APIs

I basically never use them on purpose

No real reason to, when you're in .net anywayu

Right because a string in .net is utf-16 le or the like?

Pretty much

It's useful for other applications where you could be storing strings with UTF-8. Very common on code written on other platforms

Speed optimization with ansi?

So now with the UTF-8 locale you no longer need a shim to translate the strings in your application. You can mark your manifest as supporting UTF-8 and call the *A functions without having to re-encode them. But this is all stuff outside of .NET/PowerShell so not super relevant here

Less optimisation, just simpler code as Windows internally will still translate the stuff to wide chars internally for you

So this version is actually explicit and correct 😉

The *A functions are basically shims that re-call the equivalent *W ones after they've re-encoded strings

Interesting discussion, i'll take a look at it tommorow