I have an C#, .Net 4.6.1 Windows Forms Application running on Windows Server Platforms (2008 or higher) which requires to be "Run as Administrator". Elevated privileges are required because the application changes User Access Rights on various folders (underneath the IIS Default Web Site Root if that matters).
I have no luck in detecting if the application has been "Run as Administrator". If I start the application normally (that is not as Administrator) the following code
var isAdmin = WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);
returns true but the code which changes some User Access Rights on a Directory fails with a Insufficient Privileges Error.
If I run the application as administrator the above check also returns true, but the changing of User Access rights works just fine.
Other attempts I have made without success:
Using the GetTokenInformation method inside the advapi32.dll as suggested here
Adding a manifest file to the application where I set the requestedExecutionLevel to requireAdministrator
Thanks in advance for any help.
The following must work (I hope so; I have a Windows client and it's working with me).
var Identity = WindowsIdentity.GetCurrent();
var Principal = new WindowsPrincipal(Identity);
bool IsAdmin = Principal.IsInRole(WindowsBuiltInRole.Administrator);
Try to change the permissions of a known folder and if there is an exception then you know the program has not been run as administrator.
Related
I'm trying to open some .net core apps (with admin rights in app.manifest) as admin from an automatic .Net windows service that runs on startup.
When I simply login and run the service it works fine, but if I set the service to automatically run on startup then it gets the following error on my logs when I restart to test it: "Error: The requested operation requires elevation", this occurs after running
myProcess.StartAsActiveUser()
as an exception of a try catch.
I added the admin rights on the app.manifest, used the verb runas and turned the UseShellExecute to true... And when i log the
principal.IsInRole(WindowsBuiltInRole.Administrator);
at the service startup, it is set to true so the actual user has admin role...
Any Idea of how to get it to work as admin on automatic startup?
I'm trying to start a few applications for the current user only when Windows starts up.
I can accomplish this with the following:
RegistryKey oKey = Registry.CurrentUser.OpenSubKey("Software", true);
oKey = oKey.OpenSubKey("Microsoft", true);
oKey = oKey.OpenSubKey("Windows", true);
oKey = oKey.OpenSubKey("CurrentVersion", true);
oKey = oKey.OpenSubKey("Run", true);
oKey.SetValue("Application 1", "C:\\path\\to\\ap1.exe");
oKey.SetValue("Application 2", "C:\\path\\to\\ap2.exe");
But I'm trying to run this as part of a Visual Studio Installer Project. I've added my custom action, the program starts like it should, and the installer works great in XP.
In Windows 7, the installer gets elevated privileges, and does everything but insert the entries into the registry for the current user. How ever, it does insert the registry entries when ran as a standalone application (outside of the installer project) and it does not get elevated privileges.
The only thing I can figure is that with the elevated privileges, it's trying to insert the entries into the Administrators account instead of the current user? or is there something else I'm missing? and is there another way I can achieve my goal here?
Is there a reason to not use the startup folder for the user?
More than likely the problem is the user the installer is executing under. If the user isn't the admin the elevated installer will run under the context of the user who elevated the process.
It would be a safer choice to add your application to the startup folder or to add the registry key on first launch.
If the installer is getting elevated permissions, why write the setting to HKCU? Write it to HKLM instead. It will then take effect for all users.
I have a windows service project implementation that I am trying to install as network service.
process = new ServiceProcessInstaller();
process.Account = ServiceAccount.NetworkService;
however whenever I try to start the service I get :
System error 5 has occurred.
Access is denied.
This comes after running the net start MyService command in the visual studio command prompt which is running as administrator by the way.
Any help on how to get this to work? Thanks.
I would check that the Network Service account has permissions to execute. Steps to check:
In Windows explorer go to the folder containing the binaries of the service
Right-click on the folder > Properties > Security tab > Edit button
Add > "NETWORK SERVICE" > OK
Give it full control (just to test and then reduce permissions till it working)
Your Net Start MyService is probably not running with escalated privileges. Your command requires (I believe) Administrative Privileges.
Update
Not sure why, but your privileges on your service are weird. By default privileges of services should look like:
D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
ADS_RIGHT_DELETE
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_DS_CREATE_CHILD
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_SELF
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_CONTROL_ACCESS
However your's looks like:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DS_CREATE_CHILD
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_SELF
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_CONTROL_ACCESS
I'm not sure exactly how that came to be. Try uninstalling and reinstalling?
You can download SddlParse (google it :) to parse out the Security Descriptor Definition Language.
The "Access denied" message applies to the user trying to start the service, not the account in which the service is run.
Can you start the service from:
the Services Control Panel applet?
an elevated command prompt you started yourself (not from Visual Studio)?
I am using Visual Studio 2008 and .NetFramework 3.5.
I developed one windows service application in c# using FileSystemWatcher. The main goal of this project is watch an Folder and need to write the modification status in a text file (FolderWatchLog.txt). That text file appeared on another folder.
In ServiceInstaller I specified the StartType=Manual and in ServiceProcessInstaller I specified Account=LocalSystem property.
The issue is, in my pc (Microsoft Windows XP Professional Version 2002 Service Pack 2), I have 2 users. 1 user has ADMIN permission and the 2nd user has LIMITED permission. I developed this applicaion in ADMIN power user and installed (installutil FolderWath.exe). I can start or stop perfectly. But if I logged in the 2nd user (LIMITED permission user), then I CAN'T start or stop the service. I got the error message Could not start the FolderWatch service on LocalComputer. Error 5: Access is Denied. So, I changed the ServiceProcessInstaller Account property. But at that time I got another error in both ADMIN & LIMITED permission users. That error message was FolderWatchLog.txt Access is Denied.
My requirement is this FolderWatch service need to has full access permission for all type of users.
I'm able to successfully uninstall a third-party application via the command line and via a custom Inno Setup installer.
Command line Execution:
MSIEXEC.exe /x {14D74337-01C2-4F8F-B44B-67FC613E5B1F} /qn
Inno Setup Command:
[Run]
Filename: msiexec.exe; Flags: runhidden waituntilterminated;
Parameters: "/x {{14D74337-01C2-4F8F-B44B-67FC613E5B1F} /qn";
StatusMsg: "Uninstalling Service...";
I am also able to uninstall the application programmatically when executing the following C# code in debug mode.
C# Code:
string fileName = "MSIEXEC.exe";
string arguments = "/x {14D74337-01C2-4F8F-B44B-67FC613E5B1F} /qn";
ProcessStartInfo psi = new ProcessStartInfo(fileName, arguments)
{
CreateNoWindow = true,
UseShellExecute = false,
RedirectStandardOutput = true
};
Process process = Process.Start(psi);
string errorMsg = process.StandardOutput.ReadToEnd();
process.WaitForExit();
The same C# code, however, produces the following failure output when run as a compiled, deployed Windows Service:
"This action is only valid for products that are currently installed."
Additional Comments:
The Windows Service which is issuing
the uninstall command is running on
the same machine as the code being
tested in Debug Mode. The Windows
Service is running/logged on as the
Local system account.
I have consulted my application logs
and I have validated that the
executed command arguments are thhe
same in both debug and release mode.
I have consulted the Event Viewer
but it doesn't offer any clues.
Thoughts? Any help would be greatly appreciated. Thanks.
Step 1: Check the MSI error log files
I'm suspicious that your problem is due to running as LocalSystem.
The Local System account is not the same as a normal user account which happens to have admin rights. It has no access to the network, and its interaction with the registry and file system is quite different.
From memory any requests to read/write to your 'home directory' or HKCU under the registry actually go into either the default user profile, or in the case of temp dirs, c:\windows\temp
I've come across similar problems in the past with installation, a customer was using the SYSTEM account to install and this was causing all sorts of permission problems for non-administrative users.
MSI log files aren't really going to help if the application doesn't appear "installed", I'd suggest starting with capturing the output of MSIINV.EXE under the system account, that will get you an "Inventory" of the currently installed programs (or what that user sees installed) http://blogs.msdn.com/brada/archive/2005/06/24/432209.aspx
I think you probably need to go back to the drawing board and see if you really need the windows service to do the uninstall. You'll probably come across all sorts of Vista UAC issues if you haven't already...
Thanks to those offering help. This appears to be a permissions issue. I have updated my service to run under an Administrator account and it was able to successfully uninstall the third-party application. To Orion's point, though the Local System account is a powerful account that has full access to the system -- http://technet.microsoft.com/en-us/library/cc782435.aspx -- it doesn't seem to have the necessary rights to perform the uninstall.
[See additional comments for full story regarding the LocalSystem being able to uninstall application for which it installed.]
This is bizarre. LocalSystem definitely has the privileges to install applications (that's how Windows Update and software deployment in Active Directory work), so it should be able to uninstall as well.
Perhaps the application is initially installed per-user instead of per-machine?
#Paul Lalonde
The app's installer is wrapped within a custom InnoSetup Installer. The InnoSetup installer, in turn, is manually executed by the logged in user. That said, the uninstall is trigged by a service running under the Local System account.
Apparently, you were on to something. I put together a quick test which had the service running under the LocalSystem account install as well as uninstall the application and everything worked flawlessly. You were correct. The LocalSystem account has required uninstall permissions for applications in which it installs. You saved the day. Thanks for the feedback!