Related
I have an "Advanced Installer" project that I am trying to use to install my "TopShelf" windows service that I have built.
I found the spot in Advanced Installer to grant permissions to the installation folder, but I don't see a way to grant permissions to the "Local System" account.
Manually, this is done by going to the security option in the properties of the folder and adding a user with the same name as the computer name but ending with a $. For Example MyNiceComputer$. (Oh, and you have to select the "Computers" option in the types area.)
But there is no way to do all this in Advanced Installer. If I do make one like MyNiceComputer$, it just makes an empty entry in the security tab. (No Permissions on it, even though I setup for full control.)
Has anyone ever needed to do this with Advanced Installer?
Additional Details:
I am installing an app that runs as a windows service. (It is a console app built with TopShelf).
Our company policy is to install all our applications into a folder that looks like this:
C:\OurCompanyApps\MyApp
When I create the installer, it runs fine, but then I when I start up the Windows Service, I get the following error:
Windows could not start the MyApp service on Local Computer
Error 5: Access is denied.
But when I grant access to Local System (by giving Full Control rights to myNiceComputer$ on the MyApp folder), then this error goes away and the app runs fine. From what I read, this is because the application is running as Local System.
It seems odd that it needs full control but it does not work without it. (But as far as I can see, the contents of the folder are un-altered).
#Bogdan Mitrache seems to indicate that granting permissions to Local System is not possible via Advanced Installer. This is good to know (so I don't waste more time looking). I will probably ask my System Admins for a dedicated system account to run my service as. Not ideal, but it will serve as a work around.
So, in one of my "less finer" moments of debugging, I mixed up two different things.
There was also a file missing, (my config file). I restored that and changed the permissions at the same time. But then I forgot to go back and verify which one was the actual fix. (I know, not good debugging.)
So, the Access is denied error was due to a missing file.
I am creating a program that runs as a service and creates database backups (using pg_dump.exe) at certain points during the day. This program needs to be able to write the backup files to local drives AND mapped network drives.
At first, I was unable to write to network drives, but solved the problem by having the service log on as an administrator account. However, my boss wants the program to run without users having to key in a username and password for the account.
I tried to get around this by using the Network Service account (which does not need a password and always has the same name). Now my program will write to network drives, but not local drives! I tried using the regular C:\<directory name>\ path syntax as well as \\<computer name>\C$\<directory name>\ syntax and also \\<ip address>\C$\<directory name>\, none of which work.
Is there any way to get the Network Service account to access local drives?
Just give the account permission to access those files/directories, it should work. For accessing local files, you need to tweak ACLs on the files and directories. For accessing via network share, you have to make changes to file ACLs, as well as permissions on network share.
File ACLs can be modified in Exploler UI, or from command line, using standard icacls.exe. E.g. this command line will give directory and all files underneath Read, Write and Delete permissions for Network Service.
icacls c:\MyDirectory /T /grant "NT AUTHORITY\Network Service":(R,W,D)
File share permissions are easier to modify from UI, using fsmgmt.msc tool.
You will need to figure out what minimal set of permissions necessary to be applied. If you don't worry about security at all, you can give full permissions, but it is almost always an overkill, and opens you up more if for any reason the service is compromised.
I worked around this problem by creating a new user at install time which I add to the Administrators group. This allows the service to write to local and network drives, without ever needing password/username info during the setup.
I use Visual Studio 2010 to debug a asp.net MVC project in my local machine. The steps are:
Click Debug and try to attch process "w3wp.exe". However it is not in the list.
I am sure "Show processes in all sessions" is clicked.
w3wp.exe won't show in the running process' unless there is actually an instance of the web application running.
Try to access your web page first, when it is displayed for the first time, try to attach your debugger. The process should now show up.
You need to click Show Processes from All Users at the bottom of the Task Manager list. This is what i needed to do.
Restart IIS
Right click your site >> Manage Website >> Browse
Back into Visual Studio refresh the processes list
Try to check on :"Show Processes for All Users"
When on the 'Attach to Process' window in the bottom left there is a checkbox 'Show Processes for All Users'
An easy way that works ,when w3wp dont appear in the list,open a browser and write localhost ,then enter.After that w3wp appears to list.
Just because an IIS application pool is started, there may not be an
IIS worker process w3wp running. IIS will not start the worker
process until the first web request is received.
In my case, I first launched the application, still could not find w3wp.exe. Then I took the worker process ID from (IIS->Worker Process -> Process Id) and then search by id in the details tab and found it.
Clear the Solution
Rebuild the solution
Reset the IIS by writing the command iisreset in command prompt
Go to IIS and browse your website
Run VS as administrator
Tools -> Attach to process -> Ensure the 'Show Processes for All Users' checkbox is checked -> w3wp.exe
Attach to w3wp.exec
If you are using something like Advanced Rest Client to test routes, call your route again then refresh the list of processes and it will show up
GoTo Web Project properties -> Select (Web) on the left sidebar -> GoTo under (Servers) header -> Click to dropdown and select "Local IIS"
and apply. Then, when you start debugging you will see w3wp.exe on the proccess list.
I just ran into this issue - you may want to also double check your host settings and verify that you are actually pointed to localhost and not a production server.
I forgot I was pointed at a remote server, and thus, though I was accessing the site, it wasn't anything local so w3wp wasn't running, despite my superficially being able to see the site running.
In my case, I have not opened the Visual Studio in Admin mode that is why the w3wp.exe was not showing on the list.
When I opened the Visual Studio in Admin mode, it worked.
Right click on Visual Studio -> Open in Admin mode.
In my case, once I rebuild the web project and raise the limit of Connection Time out (in seconds), it automatically shows in Debug/Attach to Process list and keeps working.
I would just like to share my experience as well for future readers.
Be aware that, in the event that you have a web server cluster configuration (for load balancing etc) the w3wp process might not start on the same machine that you expect it to.
Unless your website is configured to only run on a single IIS instance, the w3wp process might be spinning up on one of the other machines inside of your web cluster.
This might be faulty configuration from the networking team/department or intended behaviour. I don't have the neccessary experience to pin point exactly how it should be configured.
Found a related page on MSDN as well:
https://msdn.microsoft.com/en-us/library/bb742600.aspx
In my case, I needed to connect from one Visual Studio to the process which running from another VS studio window.
The problem was next: one VS was launched with Administrator permissions. For resolving that issue you should launch both VS with Admin perm.
In my case, the problem was that I wasn't running Visual Studio as Administrator. My machine had restarted after an update and relaunched all the previously running processes, but had only relaunched VS in non-admin mode. When I restarted VS in admin mode, the w3wp.exe processes were available again for debugging.
Run the remote debugger as an administrator.
I followed every suggestion to resolve the issue, but it was not until I ran the remote debugger as an administrator that I was able to see the w3wp process
Try the following steps:
Create a virtual path from Solution Explorer.
Go to inetmgr to confirm that your own pool is created.
Go to Attach Process (Ctrl+Alt+P) and show processes for all users.
Then you will see w3wp.exe will be there.
Be aware that even after jumping through all these hoops (kicking off an instance using a web browser, starting your remote debugging session as an admin, ensuring that "show all users" is checked, etc., ensuring you aren't on a server farm, etc), you may still at times be out of luck.
There are times when the remote process, usually a WCF service in my case, simply will not show up in the list of processes to attach to, and there's nothing that can be done about it. I'm always careful to make my target process readily identifiable by keeping it and only it in a certain App Pool. Sometimes you just can't get there from here. This is undoubtedly the most frustrating thing about remote debugging Microsoft has ever done.
my answer is late for sure, but maybe my answer will help someone.
Go To IIS.
Application Pools.
Advance Setting.
enable 32.bit Application.
Make your Application Running Under enable 32.bit Application.
I have a WindowsService named, say, BST. And I need to give a non-Administrator user, UserA, the permissions to Start/Stop this particular service. My service runs on a variety of Windows OS, starting from Windows Server 2003 to Windows 7.
How can I do this?
I Googled and found some stuff about giving permissions using the command [sc sdset], but I am not exactly sure about the parameters. I do not want to set the permissions for a group, but ONLY to a particular user, UserA in this case.
Below I have put together everything I learned about Starting/Stopping a Windows Service from a non-Admin user account, if anyone needs to know.
Primarily, there are two ways in which to Start / Stop a Windows Service.
1. Directly accessing the service through logon Windows user account.
2. Accessing the service through IIS using Network Service account.
Command line command to start / stop services:
C:/> net start <SERVICE_NAME>
C:/> net stop <SERVICE_NAME>
C# Code to start / stop services:
ServiceController service = new ServiceController(SERVICE_NAME);
//Start the service
if (service.Status == ServiceControllerStatus.Stopped)
{
service.Start();
service.WaitForStatus(ServiceControllerStatus.Running, TimeSpan.FromSeconds(10.0));
}
//Stop the service
if (service.Status == ServiceControllerStatus.Running)
{
service.Stop();
service.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(10.0));
}
Note 1:
When accessing the service through IIS, create a Visual Studio C# ASP.NET Web Application and put the code in there. Deploy the WebService to IIS Root Folder (C:\inetpub\wwwroot\) and you're good to go.
Access it by the url http:///.
1. Direct Access Method
If the Windows User Account from which either you give the command or run the code is a non-Admin account, then you need to set the privileges to that particular user account so it has the ability to start and stop Windows Services. This is how you do it.
Login to an Administrator account on the computer which has the non-Admin account from which you want to Start/Stop the service. Open up the command prompt and give the following command:
C:/>sc sdshow <SERVICE_NAME>
Output of this will be something like this:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
It lists all the permissions each User / Group on this computer has with regards to .
A description of one part of above command is as follows:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
It has the default owner, default group, and it has the Security descriptor control flags (A;;CCLCSWRPWPDTLOCRRC;;;SY):
ace_type - "A": ACCESS_ALLOWED_ACE_TYPE,
ace_flags - n/a,
rights - CCLCSWRPWPDTLOCRRC, please refer to the Access Rights and Access Masks and Directory Services Access Rights
CC: ADS_RIGHT_DS_CREATE_CHILD - Create a child DS object.
LC: ADS_RIGHT_ACTRL_DS_LIST - Enumerate a DS object.
SW: ADS_RIGHT_DS_SELF - Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
RP: ADS_RIGHT_DS_READ_PROP - Read the properties of a DS object.
WP: ADS_RIGHT_DS_WRITE_PROP - Write properties for a DS object.
DT: ADS_RIGHT_DS_DELETE_TREE - Delete a tree of DS objects.
LO: ADS_RIGHT_DS_LIST_OBJECT - List a tree of DS objects.
CR: ADS_RIGHT_DS_CONTROL_ACCESS - Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.
RC: READ_CONTROL - The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). (This is a Standard Access Right, please read more http://msdn.microsoft.com/en-us/library/aa379607(VS.85).aspx)
object_guid - n/a,
inherit_object_guid - n/a,
account_sid - "SY": Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
Now what we need to do is to set the appropriate permissions to Start/Stop Windows Services to the groups or users we want. In this case we need the current non-Admin user be able to Start/Stop the service so we are going to set the permissions to that user. To do that, we need the SID of that particular Windows User Account. To obtain it, open up the Registry (Start > regedit) and locate the following registry key.
LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Under that there is a seperate Key for each an every user account in this computer, and the key name is the SID of each account. SID are usually of the format S-1-5-21-2103278432-2794320136-1883075150-1000. Click on each Key, and you will see on the pane to the right a list of values for each Key. Locate "ProfileImagePath", and by it's value you can find the User Name that SID belongs to. For instance, if the user name of the account is SACH, then the value of "ProfileImagePath" will be something like "C:\Users\Sach". So note down the SID of the user account you want to set the permissions to.
Note2:
Here a simple C# code sample which can be used to obtain a list of said Keys and it's values.
//LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList RegistryKey
RegistryKey profileList = Registry.LocalMachine.OpenSubKey(keyName);
//Get a list of SID corresponding to each account on the computer
string[] sidList = profileList.GetSubKeyNames();
foreach (string sid in sidList)
{
//Based on above names, get 'Registry Keys' corresponding to each SID
RegistryKey profile = Registry.LocalMachine.OpenSubKey(Path.Combine(keyName, sid));
//SID
string strSID = sid;
//UserName which is represented by above SID
string strUserName = (string)profile.GetValue("ProfileImagePath");
}
Now that we have the SID of the user account we want to set the permissions to, let's get down to it. Let's assume the SID of the user account is S-1-5-21-2103278432-2794320136-1883075150-1000.
Copy the output of the [sc sdshow ] command to a text editor. It will look like this:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Now, copy the (A;;CCLCSWRPWPDTLOCRRC;;;SY) part of the above text, and paste it just before the S:(AU;... part of the text. Then change that part to look like this:
(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)
Then add sc sdset at the front, and enclose the above part with quotes. Your final command should look something like the following:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Now execute this in your command prompt, and it should give the output as follows if successful:
[SC] SetServiceObjectSecurity SUCCESS
Now we're good to go! Your non-Admin user account has been granted permissions to Start/Stop your service! Try loggin in to the user account and Start/Stop the service and it should let you do that.
2. Access through IIS Method
In this case, we need to grant the permission to the IIS user "Network Services" instead of the logon Windows user account. The procedure is the same, only the parameters of the command will be changed. Since we set the permission to "Network Services", replace SID with the string "NS" in the final sdset command we used previously. The final command should look something like this:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Execute it in the command prompt from an Admin user account, and voila! You have the permission to Start / Stop the service from any user account (irrespective of whether it ia an Admin account or not) using a WebMethod. Refer to Note1 to find out how to do so.
I use the SubInACL utility for this. For example, if I wanted to give the user job on the computer VMX001 the ability to start and stop the World Wide Web Publishing Service (also know as w3svc), I would issue the following command as an Administrator:
subinacl.exe /service w3svc /grant=VMX001\job=PTO
The permissions you can grant are defined as follows (list taken from here):
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
So, by specifying PTO, I am entitling the job user to Pause/Continue, Start, and Stop the w3svc service.
Edit: updated links to web.archive.org since the original MS links are dead.
Login as an administrator.
Download subinacl.exe from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=23510
Grant permissions to the regular user account to manage the BST
services.
(subinacl.exe is in C:\Program Files (x86)\Windows Resource Kits\Tools\).
cd C:\Program Files (x86)\Windows Resource Kits\Tools\
subinacl /SERVICE \\MachineName\bst /GRANT=domainname.com\username=F or
subinacl /SERVICE \\MachineName\bst /GRANT=username=F
Logout and log back in as the user. They should now be able to
launch the BST service.
There is a free GUI Tool ServiceSecurityEditor
Which allows you to edit Windows Service permissions. I have successfully used it to give a non-Administrator user the rights to start and stop a service.
I had used "sc sdset" before I knew about this tool.
ServiceSecurityEditor feels like cheating, it's that easy :)
It's significantly easier to grant management permissions to a service using one of these tools:
Group Policy
Security Template
subinacl.exe command-line tool.
Here's the MSKB article with instructions for Windows Server 2008 / Windows 7, but the instructions are the same for 2000 and 2003.
subinacl.exe command-line tool is probably the only viable and very easy to use from anything in this post. You cant use a GPO with non-system services and the other option is just way way way too complicated.
Windows Service runs using a local system account.It can start automatically as the user logs into the system or it can be started manually.However, a windows service say BST can be run using a particular user account on the machine.This can be done as follows:start services.msc and go to the properties of your windows service,BST.From there you can give the login parameters of the required user.Service then runs with that user account and no other user can run that service.
I want to figure out when the services was start up and terminated. Are there any kind log file about it?
Under Windows 7, open the Event Viewer. You can do this the way Gishu suggested for XP, typing eventvwr from the command line, or by opening the Control Panel, selecting System and Security, then Administrative Tools and finally Event Viewer. It may require UAC approval or an admin password.
In the left pane, expand Windows Logs and then System. You can filter the logs with Filter Current Log... from the Actions pane on the right and selecting "Service Control Manager." Or, depending on why you want this information, you might just need to look through the Error entries.
The actual log entry pane (not shown) is pretty user-friendly and self-explanatory. You'll be looking for messages like the following:
"The Praxco Assistant service entered the stopped state."
"The Windows Image Acquisition (WIA) service entered the running state."
"The MySQL service terminated unexpectedly. It has done this 3 time(s)."
Take a look at the System log in Windows EventViewer (eventvwr from the command line).
You should see entries with source as 'Service Control Manager'. e.g. on my WinXP machine,
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 7/1/2009
Time: 12:09:43 PM
User: N/A
Computer: MyMachine
Description:
The Background Intelligent Transfer Service service entered the running state.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Through the Computer management console, navigate through Event Viewer > Windows Logs > System. Every services that change state will be logged here.
You'll see info like:
The XXXX service entered the running state or The XXXX service entered the stopped state, etc.
The most likely place to find this sort of information is in the event viewer (under Administrative tools in XP or run eventvwr) This is where most services log warnings errors etc.