Is it wrong to call SHFileOperation from a service?
A customer had a simple question: “Is it wrong to call
SHFileOperation from a service?”
I don’t know if I’d call it wrong, but I’d call it highly inadvisable.
SHFileOperationwas designed for interactive operations, so you’re using it outside its original design parameters.
- Many shell extensions ignore “no UI” flags and put up UI anyway. As a result, your call to
SHFileOperationmay end up getting stuck on unexpected UI. Now you have a service displaying UI, and that’s just asking for trouble.
- The shell for the most part does not expect to be called while impersonating. There are a few functions specifically designed for use while impersonating; those exceptions are called out explicitly in their respective documentation.
SHFileOperationis not one of those functions.
SHFileOperationuses the shell namespace, you are at risk of loading shell extensions into a service. Shell extensions typically are not written with the strict security requirements of a service in mind, and you may end up creating a security hole. Somebody could plant a
desktop.iniinto a directory your service operates on, and now your service has been tricked into loading a shell namespace extension. The bad guys are constantly searching for buggy shell extensions that they can use as an attack point. And if they can get into a service, well, then they just hit the jackpot!