I'm signing executables through a Windows Service. This service creates a batch-file, in which the actual Sign command is:
cd D:\wmt_sign\Signer\Tools
signtool sign /f "D:\codesign\cert\Certificate.pfx" /p MyPass /t "http://timestamp.digicert.com" /d "zxz" /du "http://www.testurl.com" "D:\codesign\Sign\Request307\filetobesigned.exe">>"D:\codesign\log\signlog\Request\SignLogReport.txt"
When I execute the batch command from the machine directly, no problem, everything works fine
When I execute the Sign command direclty from commanline, no problem everything works
when I execute the batchfile in code (process.startinfo....etc ) the timestamp-url cannot be reached! (error is "The specified timestamp server could not be reached.")
The service runs under Local System Account, there is a firewall, but this one is open for outwards traffic.
I have no clue at all....
The LocalSystem account, by default, does not have any rights to access the network. You should use the Network Service acount instead. Even then, if any of the URLs you are trying to access require authentication, it may stil not work. It that case you may need to create a domain account for the service to run under or impersonate.
Related
I have a windows service written in C#. I want to set the service account to be LocalSystem. The service spawns a process which is a batch file in which Git Authentication is required. If I set the service account as User, it prompts for username and password while installation and the service runs perfectly. But when I register it as LocalSystem account, it fails to do so.
Event Viewer error log is:
Source: Git Credential Manager
Details: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
The reason I want to go with LocalSystem account is I want to avoid any credential pop-up. Any help on how I can install the service without any password pop-up and authenticate git as well as current logged in user?
If you want to avoid a prompt for credentials, you need to set up a credential helper properly. It's likely that you are indeed using one, in this case the Git Credential Manager for Windows, but in this case that requires a UI prompt.
You will first need to make sure the system Git installation does not use a credential helper by typing git config --system --unset credential.helper. Then, configure your service to use an appropriate credential.helper argument when you're invoking your push or fetch command, like so: git -c credential.helper=my-credential-helper push origin main.
You can either write your own credential helper by following the directions in the gitcredentials(7) manual page and specify that name or use a shell command to get it from the environment. For example, if you wanted to push code and read data from the USERNAME and PASSWORD environment variables, then you'd run this command:
$ git -c credential.helper='f() { echo username=$USERNAME; echo password=$PASSWORD; };f' \
push origin main
My goal is to be able to fire off a command without having to be prompted for my password. Is there any way to achieve this from the windows command line? In Linux I feel I could send the password to standard in or something, but I am not sure if I could do this for windows.
Thanks!
There are two ways:
Set environment variable PGPASSWORD e.g. set PGPASSWORD=yoursecretpassword
Use password file %APPDATA%\postgresql\pgpass.conf as described in documentation
Within password file (my location is C:\Users\Grzesiek\AppData\Roaming\postgresql\pgpass.conf) use specified in doc format. For example to connect database postgres as role postgres on local 5432 server add:
localhost:5432:postgres:postgres:12345
I checked this and it works well (for me), but don't use 127.0.0.1).
Another handy option (specially if your PG server runs in your own client machine, and if this does not poses any security problem for you) is to allow login without password in the server ("trust" authentication mode).
For example, this line in pg_hba.conf (in your DATA dir, a typical location: C:\Program Files\PostgreSQL\9.0\data\ ) grants access without password from your local machine.
host all all 127.0.0.1/32 trust
Then, connect with
psql.exe -h 127.0.0.1 -U postgres -w [YOUR_DB_NAME]
I know it is an old question but for anyone looking like I was, it is hard to find a solution for windows. stick this in a .bat file and it will work (at least for me it did). change director to postres directory, set environment variable PGPASSWORD execute copy command to a csv file and then clear environment variable, then go back to root directory.
cd C:\Program Files\PostgreSQL\9.5\bin\
set PGPASSWORD=yourpassword
psql -d databasename -U yourusername -w -c "\COPY (select * from yourtable) TO 'c:/Users/yourdirectory/yourcsvfilename.csv' DELIMITER '|' CSV HEADER;"
set PGPASSWORD=
cd c:\
I realize this question is a bit old now, but I believe there is a better means for secure, password-free PostgreSQL logon on Windows - SSPI.
Create a local or domain user account and PostgreSQL login with the same name.
In pg_ident.conf, create a mapping:
# MAPNAME SYSTEM-USERNAME PG-USERNAME
SSPI username#AUTHORITY loginname
Replace username with the Windows user name (this is the sAMAccountName attribute for domain accounts), and replace AUTHORITY with the computer name or short domain name. If you're not sure what to use for AUTHORITY, check the PostgreSQL log file. For a local account, this will be the computer name; for a domain account, it's probably the short domain name. Lastly, replace loginname with the PostgreSQL login name (to reduce confusion, I would recommend using the same name for both username and loginname).
In pg_hba.conf, allow the logon; e.g.:
# TYPE DATABASE USER ADDRESS METHOD
host all loginname 127.0.0.1/32 sspi map=SSPI
host all loginname ::1/128 sspi map=SSPI
If a domain account, set a SPN for it; e.g.:
setspn -S POSTGRES/serverfqdn username
Now you can log onto Windows using the specified username and run psql.exe, etc. without needing a password.
Steps:
First ENviroment Var PGPASSWORD
C:\Windows\system32>set PGPASSWORD=clave
before
psql -d basededatos -U usuario
Ready,
I got it working in Postgres 15 with:
psql -U postgres -h 127.0.0.1 -p 54322 -f some_file password=postgres
J
If you're able to use Powershell, you can set environment variables inline, similar to bash.
This should work:
$Env:PGPASSWORD='your-pass'; psql -U postgres
Note the semicolon between setting the variable and actual command, this is important since those are inline but two separate commands.
I found another useful solution that worked for me on this link. It basically sets the PGPASSWORD at the beginning of your command like this:
PGPASSWORD=PASSWORD psql YOUR_CODE
I want to get service name inside service. The rough idea is to get process id and compare the process id with services enumerated by WMI, ServiceCotroller or EnumServicesStatusEx() API.
The problem is that the service is running under a domain account (it isn't local administrator). When I want to enumerate the services inside the running service, the running service itself is missing from enumeration!
If I move the service account to local administrator, the running service is found. So it isn't code issue. (If code issue, the behavior should be same: service not found.)
If I extract the logic to a console application (or by powershell) and run application or powershell under service account, the service is found, too. So it isn't permission issue. (If permission issue, the behavior should be same: service not found.)
The service CANNOT be enumerated when the service account IS NOT administrator and INSIDE service. It is very wire issue.
I check documentation for EnumServicesStatusEx from MSDN and find local administrator has extra SC_MANAGER_LOCK than local authenticated user. Is it the reason? But I CANNOT link the lock with service enumeration.
Or somebody please indicate a way to query service name inside the service.
Thanks.
BTW, It is on Windows 2008 R2.
I found a related question: How to get name of windows service from inside the service itself.
the 1st answer is not acceptable for me. I want to provide a common library and has no control to installer.
the 2nd answer is same idea with me. I guess it should be same with my result.
It is a permission issue.
Run psservice from Sysinternals like:
psservice.exe security InstrumentationTestService
and I got the following result:
PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: InstrumentationTestService
DISPLAY_NAME: InstrumentationTestService
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] NT AUTHORITY\SYSTEM
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Administrators
All
[ALLOW] NT AUTHORITY\INTERACTIVE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] NT AUTHORITY\SERVICE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
It indicates that my service account has no permission to Query the service status.
If I use service account to run powershell/WMI/ServiceController, the service account will turn into a INTERACTIVE user. So it has the permission to query service status.
The solution is to grant the service account Query status permission.
This is not a pure PowerShell answer, but you've got a good tool as far as EXEs,DLLs and SERVICEs are concerned it's TASKLIST.EXE.
Have a look to /FI and /FO. In the following sample I get information for the search service.
tasklist /FI "SERVICES eq WSearch" /FO "CSV"
To integrate it with PowerShell youcan use :
tasklist /FI "SERVICES eq WSearch" /FO "CSV" | ConvertFrom-Csv
I have a Windows service, running using the login localhost\administrator. This service is meant to invoke another executable (MyProcess.exe), which is supposed to write some stuff to a log file. The service uses Process.Start() to create the process, like so:
var p = new Process();
p.StartInfo.FileName = processFileName;
p.StartInfo.Arguments = arg;
p.Start();
Problem is, it appears that MyProcess.exe is being denied rights to write to the log file, even though localhost\administrator unquestionably has rights to the log folder. If I run MyProcess.exe from a command line, it works perfectly.
So, is it possible that the process is being executed using a different user login?
Can you think of any other reason why MyProcess.exe is being denied rights to write the log file?
UPDATE: the log file is being written to the local machine, but using a network address, i.e. \\MyPC\LogFolder. When I change the code to refer to C:\MyFolder, everything works fine. It's obviously having a problem with the network address (even though it's local).
What sharing settings do I need to put on the folder so that the local system account can access the file?
If you are using impersonating, than it impersonates a user that can be the currrent or a specified user. if not it will run under the Local System, with the privileges of the local system.
p.StartInfo.Domain = "UserName";
p.StartInfo.Password = "Passw0rd!";
You can get the username from:
Thread.CurrentPrincipal.Identity.Name
I've worked it out.
The problem, as noted in my update, is that the process was addressing the log folder using a network share address, \\MyPC\LogFolder, and when we switched the configuration so that it wrote instead to c:\Logfolder, it worked fine.
So it seems that when you address a local folder, the localhost\Administrator account is deemed to have sufficient rights. But when you go via the network share, you need to present valid network credentials, and localhost\Administrator just doesn't cut it. If you change to use MYDOMAIN\MyUser, it works even using the network share address.
I'm passing a UNC path to File.GetAttributes(). This works fine when running off my local, but when I move the site to the test server, I get a "Network path not found" error. I am able to navigate to the path from the test server, so I don't know why I would be getting this error. The code is very simple. This is where it errors out:
try
{
if (FileAttributes.Directory != (FileAttributes.Directory & File.GetAttributes(directory)))
directory = GetPath(directory);
}
catch...
Being able to navigate to the share from the server doesn't mean much - remember your application is running under another account, usually whatever the app pool is set to. That account normally does not have access to anything other than the resources in the local machine, because it's not a domain account.
Check what account the app pool is running under. You might have to change that to a domain account on your AD forest to be able to access things on other servers.
Most likely it is "NTLM one hop" issue - credentials of a remote user can't be passed to thrird server.
Machine 1:Browser -(credentials)-> Machine 2:ASP.Net site -(no credentials)-> Machine 3.
Solution is to access "machine 3" under known (i.e. process) account or use Kerberos.