Right now i am using an web application with code to read from and write to the registry. While debugging in Visual studio everything went fine but on the online test server it didn't run. the error exception message i am getting is:
System.Security.SecurityException: Requested registry access is not
allowed.
This is the code i am using:
private RegistryKey GetWritableBaseRegistryKey(string extendedPath)
{
var path = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
return RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default).OpenSubKey($"{path}\\{extendedPath}", true);
}
The sollutions i found where:
Solution 1
you will not be able to set AppPoolIdentity to a specific group, but
you can
create a local user (compmgmt.msc)
add the user to the administrator group (compmgmt.msc)
Set the application pool to run under that user, under Advanced Settings.
Obviously you know this is a very bad idea from a security
perspective, and should never ever ever be performed on a forward
facing server.
source
Solution 2
Create a separate console application to run the service in admin
modus so you could access the registry. This solution was performance
heavy because you need to run 2 separate applications.
Solution 3
Use this code to allow access to the registry.
RegistryPermission perm1 = new RegistryPermission(RegistryPermissionAccess.AllAccess, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall");
perm1.Demand();
Or this code
RegistrySecurity rs = new RegistrySecurity();
string currentUserStr = Environment.UserDomainName + "\\" + Environment.UserName;
RegistryAccessRule accessRule = new RegistryAccessRule(currentUserStr, RegistryRights.WriteKey | RegistryRights.ReadKey | RegistryRights.Delete | RegistryRights.FullControl, AccessControlType.Allow);
rs.AddAccessRule(accessRule);
But these didn't work on the server however while debugging in visual studio the code ran fine.
In order for the web application to access the registry it must have sufficient permission. Consequently Solution 1 is the only one likely to work. It describes setting the web sites application pool to a user in the local administrators group. Its misses the steps about actually setting your IIS web site to use the newly created App Pool, which is why it might not work for you.
The technical process of reading a restricted registry, especially the application Uninstall registry key, inside a web server is really unlikely to be useful to you. Of what possible use is allowing a web server to access the servers own Application uninstall list going to be ?
I suspect you intend to open that registry key on the client's PC (my speculation) which is not going to be possible.
Related
Im having trouble with writing files to remote directory via network. The following code fails when I try to check if the directory exists:
if (!Directory.Exists(processingPath))
Directory.CreateDirectory(processingPath);
processingPath is composed like
processingPath = xxxObject.serverPath + "processing\\";
xxxObject.serverPath contains something like this
\\machineNetworkName\sharedFolder\
Its working properly, but when many requests are processing (running as tasks asynchronously), it stops working and failing into exception:
System.IO.IOException: The network path was not found.
Could you please help me what could be the problem and why it is failing after some time on network path???
Thanks for your solutions
I got the same error before, it was about authentication problems.
You have to be sure that you set properly the user on IIS, because it use a Default App Pool's identity which can't access to your NFS.
You can also use IIS virtual folders to set the identity.
(on IIS manager, see App Pool settings -> Identity and also virtual folders settings -> identity).
In my case, it worked better by using the Impersonation directly in the code, so I recommend you to use the VladL WrappedImpersonationContext Object: How to provide user name and password when connecting to a network share
Last thing to check, the owner of the files on your NFS server, if they were created under the root user, it might not work.
I had the same problem and solved it. The problem in my code and I see it in yours, too, is that you have the slash at the end of the network path.
Instead of processingPath = xxxObject.serverPath + "processing\\"; write: processingPath = xxxObject.serverPath + "processing";
I work with emergency services and they have an application that uses map files to let them know where they need to go and it uses GPS to let them know where they are. We have to update the map files as things change and before I started here they were being done through VB scripts which started to fail. I decided to code my own app in C# to do this which works fine.
I created a package in SCCM 2012 that caches all of the files locally and then it compares the files in the cache to what is on the machine and then replaces any older files. This all works fine but the application they use called MobileCAD locks the files so I have to kill this process and then do the file copy and start the application again. We never know when an emergency happens so this update may start when they are on the road so it is important that it starts the application again as soon as possible. If it does not start the application then the emergency services people may try to do so manually but if core files are being updated then it may not start or cause issues.
I coded my application which uses an app manifest to force it to run as an administrator for the file copy. This application is run through SCCM which uses the local 'System' account to do all of the work and killing MobileCAD and copying files which works great. What I originally found was that it does start MobileCAD but it does so under the System account and the process would be there but it was not visible. I think this is the same problem they were originally having so the emergency services people would need to reboot the computer and wait for it to log back in and then start the wireless service so they could get back into MobileCAD.
To address this issue I did research and found that I could use the ProcessStartInfo in .NET and force it to use another account. As we use an automatic logon for these machines the users name, password, and domain are all in the registry so it was easy to pull it out and inject it into the code. Awesome, looks like it is easy enough so I code it up and sure enough it works perfectly when run under my admin account. In my basic testing everything worked perfectly until I try the same in SCCM, now it fails with the following error message.
System.ComponentModel.Win32Exception (0x80004005): Access is denied
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start()
at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
at UpdateFDM.Program.StartProcess(String processName)
I am sorry for all of the words but I believe it helps if you have a good understanding of the issue and what I am trying to do. I have also hard coded the user information into the code instead of pulling it from the registry but I get the same error. Again, this works fine under my admin account but fails when it is pushed through SCCM and it is only launching MobileCAD that fails.
This is the code I am using for launching MobleCAD, do you see where my issue may lie? I know SCCM confuses it but SCCM basically runs things just as you would from the command line but it uses the local System account.
Thanks for any help.
// Declares the new start instance
ProcessStartInfo process = new ProcessStartInfo();
// Gets the process to start
process.FileName = processName;
// Maximizes the process windows at start-up
process.WindowStyle = ProcessWindowStyle.Maximized;
// Gets the user name from the autologon information
process.UserName = GetDefaultUserInfo("DefaultUserName");
// Gets the domain for the user
process.Domain = GetDefaultUserInfo("DefaultDomainName");
// Holds the password for the default user
SecureString password = new SecureString();
// Gets the raw password from the registry
string rawPassword = GetDefaultUserInfo("DefaultPassword");
// Copies the password in a secure string
foreach (char ch in rawPassword)
{
password.AppendChar(ch);
}
// Sets the password
process.Password = password;
// Needed to launch the app as the logged on user
process.LoadUserProfile = true;
process.UseShellExecute = false;
// Starts the process
Process.Start(process);
// Process started, return true
return true;
I have developed a windows service using local system as Account. I have used
network path of file
FileInfo fi = new FileInfo(#"\\epm-server\penDocuments_LabMeds\" + Convert.ToString(dr["mrn"]) + "\\SyncedXML\\" + Convert.ToString(dr["xmlfile"]));
if (!fi.Exists)
boolFileNotFound = true;
A dynamic path of a file that is built from database.
It works fine when I run Windows Service in Debug Mode, but when I install it then fileNotExists returns TRUE always like the file doesnt exist but infact it does exist.
This is bugging me a lot now. Kindly help me why its not working. Its a server path. Its getting opened in my PC.
Thanks
Did you notice the double backslashes in front and after SyncedXML (\\SyncedXML\\)?
This is probably the cause of your error.
Additionally I'd use string.Format in such cases to reduce the inadvertently addition of unwanted characters:
var path = string.Format(#"\\epm-server\penDocuments_LabMeds\{0}\SyncedXML\{1}", dr[mrn], dr[xmlfile]);
var fi = new FileInfo(path);
Edit:
If it's permission-related, then it's very likely that your local system account (in whose context the service is running) isn't allowed to access the epm-server.
The path is accessible if you're opening it directly or if you're running the service in debug mode as this is happening in your user context (e.g. YOURDOMAIN\vickyshazad), and you're allowed to access the ressource, whereas NT AUTHORITY\SYSTEM is not.
It's usually a good practise to have a special service account for your developed windows service and grant this user only and exactly the required permissions (least privilege). Maybe ask your system administrator for a service user.
Local System (NT AUTHORITY\SYSTEM) is a highly privileged account that's not recommended to use in general (see MSDN).
Most services do not need such a high privilege level. If your service does not need these privileges, and it is not an interactive service, consider using the LocalService account or the NetworkService account.
I am trying to write some c# code that writes a new Performance Counter Category if it doesn't exist, and then adds a specific counter. When I run this code from the Visual Studio dev server, everything works fine. When I deploy it to IIS and try it, I get permission errors. I am running Windows 7 and using IIS 7.5.
What I have done so far, some of which is being done out of desperation:
Created a new App Pool that I will run as a specific user
Created a new user and added him to the Process Monitor and Administrator groups
Set the new user as the identity of the new App Pool
Pointed my web service to that App Pool.
Went in to regedit and gave the user full control over HKLM/System/CurrentControlSet (apparently there should be a permissions folder, but I don't see it anywhere).
I know these steps have worked partially, because I am now able to check whether or not a category exists (ASPNET user couldn't even do that). I can check if a category exists, I just cant add a new one.
The error that I get is
Cannot create or delete the Performance Category 'C:\Windows\TEMP\tmp1AA8.tmp' because access is denied.
The code to add the performance counter category is looks like this:
if (!PerformanceCounterCategory.Exists("APIService"))
{
CounterCreationDataCollection counters = new CounterCreationDataCollection();
CounterCreationData counter = new CounterCreationData();
counter.CounterName = "# of operations executed";
counter.CounterHelp = "Operations executed";
counter.CounterType = PerformanceCounterType.RateOfCountsPerSecond32;
counters.Add(counter);
PerformanceCounterCategory.Create("APIService", "Api Counter", PerformanceCounterCategoryType.SingleInstance, counters); // This code blows up
}
I have searched high and low and cant find anyone with the same problem. I have even tried giving Everyone Full Control over c:\windows\temp. Any idea what I might be missing here?
I think I figured out the solution (or rather someone else did, but I can find a link to that forum this morning). Instead of setting the App Pool to run as an admin, I switched it to the Local System user. That seems to have resolved everything, as the user has sufficient rights to write performance metrics and everything else that needs to be done.
I have a project which references another project in order to utilise some portions of code. One of the projects is a console application (that is the project type) but is made up of a significant code-base. The other is a GUI application that references this console application . The reason this is done is so the application can be run either as a console application or a GUI application.
When the GUI application runs it accesses the registry absolutely fine, but when I run the console version, which accesses the exact same code as the GUI application , it fails security-wise to get access to the registry keys. I'm assuming both the GUI and console application would run via the same user.
Here's what's failing (changes made to hide specific details):
String user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity rs = new RegistrySecurity();
rs.AddAccessRule(new RegistryAccessRule(user, RegistryRights.ReadKey | RegistryRights.Delete | RegistryRights.WriteKey | RegistryRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
mapsynckey = Registry.LocalMachine.CreateSubKey("SOFTWARE\\AppPath\\AppName\\");
UserName = mapsynckey.GetValue("user").ToString();
Password = mapsynckey.GetValue("pass").ToString();
SyncFolderPath = mapsynckey.GetValue("syncfolderpath").ToString();
Ignore the access rights, I've just been trying every single one hence the random mixture.
The error I receive is as follows:
Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\AppPath\AppName' is denied
Here's the other thing. I can't find the entries anywhere in the registry, not even under the 64-bit section. However, I am loading the registry key details into the application which are shown fine, but if I browse the registry, they're not there.
I'm completely stumped, I've spent the last 3 hours working on this with no clue what's going on.
at ApplicationSettings..ctor() in C:\Projects\MapSync\MapSyncConsole\ApplicationSettings.cs:line 34
at ApplicationSettings.get_Instance() in C:\Projects\MapSync\MapSyncConsole\ApplicationSettings.cs:line 47
at MainApplication..ctor(Boolean forceDownload) in C:\Projects\MapSync\MapSyncConsole\MainApplication.cs:line 27
at MapSyncConsole.Program.Main(String[] args) in C:\Projects\MapSync\MapSyncConsole\Program.cs:line 21
First and foremost: Did you check the (UAC) virtualized registry locations? (See here). Registry uses a similar mechanism as file system for transparent redirection.
Additionally:
which token is your process running under, elevated or not? Assuming you have UAC enabled: Do you start the console app from a elevated prompt (seems not)? I guess you start the UI version by double-clicking?
less probable: does one of the executables have an embedded manifest which manipulates the elevation behavior?
less probable: do the processes (console vs. UI) target different processor architectures?
You can't call CreateSubKey in HKLM without administrator privileges.
You should consider switching to HKCU.