I have a server with a bunch of installers on it. However my program stops when I attempt to initiate connection to the server.
Process.Start(#"\\{Server ip}\Software_Depot\Installers_Master\Snagit\v2019\snagit.exe");
What I'm trying to do here is initiate the installation of snagit.exe from our server.
Check the permissions of the elevated user that’s being used. If it’s a local admin account, it might not have permissions to the network share.
You could either add a “net use .... domain-user password” or use a domain account to launch your .net app.
Related
I wanted to run local desktop applications which are installed in Program Files and Program File (x86) folders only, the application should run with administrator privileges as logged in user context. I have googled and got to know some.
Required as per my idea:-
File Explorer GUI with Socket Client
A Service
Local Application Launching Executable with Socket Server ( console application)
Note: The communication between File Explorer will happen using socket client and server. The service will launch the local application server in system context.
Imagine that File Explorer, Service and Application Launching server are installed.
Using File explorer the app will be selected and selected application information will be sent to the server. The server will do check on the requested path whether it is from trusted path or not.
If it is from trusted path, the server will get handle from "winlogon.exe" and get the handle to the access token, then duplicate the access token and adjust its privileges (default system privilege will be there and i don't want that as system will have full privileges) then use CreateProcessAsUser to launch the application.
Once launched bring the UI to the foreground. The application need to be run in user context with administrator privileges.
My questions are stated below:-
To achieve this do i need to enable the interactive process in the
service ?
If interactive is necessary, the communication between the
user and local server is happening using socket and user do not
interact with service directly, just wanted to know whether am i
following the Microsoft safety measures as stated in below
documentation or am i breaching it?.
https://learn.microsoft.com/en-us/windows/win32/services/interactive-services
Do we have any other way to launch an application with admin
privileges in logged on user context without actual administrator privilege ?
The targeted OS is Windows 10 1803 and 1809.
Have a look for the tools psexec or paexec (they're mostly identical, the major difference being that the later is open-source).
These tools allow you to start a process as another user and/or on another computer. This should work from a service as well.
I have a windows service that polls a folder continuously for new files.For local directories this works fine.But when it comes to UNC Paths on another system in the same network,the service cannot access the folder it seems.I have refereed to this post https://serverfault.com/a/881272 ; it states that i need to run the service as the currently logged in user.How im i supposed to do that?
The path i wish to monitor using the service is
\DESKTOP-PC\Users\me\myfolder
Please advice
UPDATE:
I have developed the service using topshelf.I want to poll a folder on another local machine in the same network.I go to network places,double click on the computername,it asks for credentials,i enter the username and password of the remote computer i get access to the files on the system for that user(in explorer).
Now when i set the service to run as the local machine user under this machine,it cannot access the remote UNC Path that is accessible using explorer.I have tried installing it as the remote machine user,but it fails.
myService.exe install -username:DESKTOP-REMOTE\myname -password:mypassword
Open the Control Panel > Administrative Tools > Services window on
your Windows server.
Stop your windows service.
Open the Properties > Log On dialog.
Change the service user account to the target user account.
Start your service.
If you are developing the service in Visual Studio, and want to emulate a different account you can also press shift + right mouse click on devenv.exe and click on "run as different user".
Also make sure you are specifying the full path to the folder and that the account you use has full rights to the folder.
If you try to run your service under the desktop-remote\myname account you probably will fail. The local machine only likes accounts belonging to itself.
What I would do is to turn it around. Make the remote computer share a folder for your machine to poll. That way the remote machine has control over which data it is publishing, just like an object has its properties to private or public. If you are ok with having anyone who knows the address \\desktop-remote\my-not-so-secret-folder\ being able to read it, set it so anyone can read. If you are more secretive, suffix the folder with $ like so: \\desktop-remote\my-secret-folder$. Now it is not visble but still reachable.
You can also create a special account that has access to said folder.
Then you let your service run any account (with network access) of your choosing on your local machine. Let it try to connect to the remote folder with the special account.
(I have learned, the hard way, that reading a shared folder is slightly different between machines without domain and machines in a domain; the anyone-can-read does not work. At least in WindowsXP it was that way. I have since then not have the need to share a folder.)
HTH
When you set the service to run as the local system account, it cannot access the remote UNC Path that is accessible using explorer with local machine account.
Simply because the explorer manages logged on user credentials, so, you have added UNC path credentials to the LOGGED user only.
When you change it to Local System Account, the user credentials to the share is not stored.
Try to create a local user without password expiration and then enable it access to the Share.
All you will need to do is to setup windows service with this new account registered.
I was facing this problem with my UNC storage in the Azure cloud.
What worked is setting up the credentials in the windows credentials manager:
windows credential manager
You can get the connection string from the Azure portal.
This resolved our problem.
You can have a look at Impersonation. Also, if the service is running as a localuser, then it would help to create the same user with similar password on the machine where the folder resides.
Have a look here (the OP in this post is experiencing the same issue and he/she has given the shared folder “Everyone access to full control”.
https://serverfault.com/questions/177139/windows-service-cant-access-network-share
Goal:
I periodically upload new .exe file to windows server 2003 via FTP and I want to run it manually by hitting Url of a web site on same server. Exe needs to be run under an Admin account, and not the NETWORK SERVICE account.
What I achieved so far:
I have been able to successfully run applications like notepad under the Admin account on the server via a web request by using any of these:
PsExec,
.net process.Start() with credentials supplied to process.StartInfo and even
by impersonating admin and then using process.Start without credentials (http://www.f4cio.com/programmatically-impersonate-in-csharp)
The problem:
The above methods run my exe but Task Manager, or a call to System.Security.Principal.WindowsIdentity.GetCurrent().Name shows me that it is running under NETWORK SERVICE.
I suspect that this file has added security constraints because it arrived from ftp link. Checking run-as-administrator in properties of file is not an option because file will be replaced periodically and all needs to be automated. Also manual server configuration should be minimal or ideally non-existent. Code-only single-web-page solution is ideal. Editing both that asp.net web page and exe is ok. (I tried something with exe self-restarting).
Not sure about this, but I suspect this has to do with you website running under the NETWORK SERVICE user. Whatever privileges your website-user has, the same are probably granted / passed on as you try to run your executable.
Is this server on an internal network or protected in some other way? (I should hope so!). If so, you might try changing App Pool that the website is running under to an admin account (in IIS, right click the App Pool running the site, select Advanced Settings, and look for the Identity setting). If I'm right, that will allow you to run your executable as an admin too.
Be aware however, that this may increase the security risk of your setup: Allowing your site to run under an admin account means easier access to your entire server if anyone is able to penetrate whatever security measures you have in place. Make sure access to this server is tightly limited, and preferably, that it in turn does not have access to other systems, since that would in turn make them vulnerable by extension.
I'm writing a windows service that must to write log files in a remote server, which is part of my network via secure VPN connection (P2P), so i can write log files in a directory (like "\10.10.10.10\MylogFolder\log.txt") via Console Application, that I use to test my business classes.
Via Console App, it works correctly but when I try to inject the business class to the service, it doesn't work...
I believe that it's a Installation/Privilege issue, I've already put my WinService to install using LocalSystem privileges but it didn't work as well.
Can you help me?
Thanks in advance!
LocalSystem is a very limited account for network access.
You'll need to set the service account to be something that has the required privileges on the remote machine.
My PC is in Domain A and a remote server in Domain B, I want to restart a service on server from my PC using c# or any other language or script.
Notes:
I am connected to the server via VPN that means i can manually RDP the server and can manually restart the service.
I am not able to access services on server using connect to other computer under action button from local services window.
I have admin rights to the server.
I can't(not allowed) add any component to server.
I have different set of credentials for Remote machine
You should first try the sc command to make sure you're able to start that service remotely using the current permissions and credentials. If that works, take a look at System.ServiceProcess.ServiceController.
When you say you're an admin on the remote machine, I'm assuming that means you're logging in with different credentials. I don't believe either of those will allow you to use alternate credentials -- i.e., the commands will execute with Domain A privileges and those privileges are most likely insufficient for what you're trying to do.
Can you use a batch file? I usually use something like this:
NET USE \\computername\IPC$ /U:domainname\username password
SC \\computername START service