Right now i am using an web application with code to read from and write to the registry. While debugging in Visual studio everything went fine but on the online test server it didn't run. the error exception message i am getting is:
System.Security.SecurityException: Requested registry access is not
allowed.
This is the code i am using:
private RegistryKey GetWritableBaseRegistryKey(string extendedPath)
{
var path = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
return RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Default).OpenSubKey($"{path}\\{extendedPath}", true);
}
The sollutions i found where:
Solution 1
you will not be able to set AppPoolIdentity to a specific group, but
you can
create a local user (compmgmt.msc)
add the user to the administrator group (compmgmt.msc)
Set the application pool to run under that user, under Advanced Settings.
Obviously you know this is a very bad idea from a security
perspective, and should never ever ever be performed on a forward
facing server.
source
Solution 2
Create a separate console application to run the service in admin
modus so you could access the registry. This solution was performance
heavy because you need to run 2 separate applications.
Solution 3
Use this code to allow access to the registry.
RegistryPermission perm1 = new RegistryPermission(RegistryPermissionAccess.AllAccess, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall");
perm1.Demand();
Or this code
RegistrySecurity rs = new RegistrySecurity();
string currentUserStr = Environment.UserDomainName + "\\" + Environment.UserName;
RegistryAccessRule accessRule = new RegistryAccessRule(currentUserStr, RegistryRights.WriteKey | RegistryRights.ReadKey | RegistryRights.Delete | RegistryRights.FullControl, AccessControlType.Allow);
rs.AddAccessRule(accessRule);
But these didn't work on the server however while debugging in visual studio the code ran fine.
In order for the web application to access the registry it must have sufficient permission. Consequently Solution 1 is the only one likely to work. It describes setting the web sites application pool to a user in the local administrators group. Its misses the steps about actually setting your IIS web site to use the newly created App Pool, which is why it might not work for you.
The technical process of reading a restricted registry, especially the application Uninstall registry key, inside a web server is really unlikely to be useful to you. Of what possible use is allowing a web server to access the servers own Application uninstall list going to be ?
I suspect you intend to open that registry key on the client's PC (my speculation) which is not going to be possible.
Im having trouble with writing files to remote directory via network. The following code fails when I try to check if the directory exists:
if (!Directory.Exists(processingPath))
Directory.CreateDirectory(processingPath);
processingPath is composed like
processingPath = xxxObject.serverPath + "processing\\";
xxxObject.serverPath contains something like this
\\machineNetworkName\sharedFolder\
Its working properly, but when many requests are processing (running as tasks asynchronously), it stops working and failing into exception:
System.IO.IOException: The network path was not found.
Could you please help me what could be the problem and why it is failing after some time on network path???
Thanks for your solutions
I got the same error before, it was about authentication problems.
You have to be sure that you set properly the user on IIS, because it use a Default App Pool's identity which can't access to your NFS.
You can also use IIS virtual folders to set the identity.
(on IIS manager, see App Pool settings -> Identity and also virtual folders settings -> identity).
In my case, it worked better by using the Impersonation directly in the code, so I recommend you to use the VladL WrappedImpersonationContext Object: How to provide user name and password when connecting to a network share
Last thing to check, the owner of the files on your NFS server, if they were created under the root user, it might not work.
I had the same problem and solved it. The problem in my code and I see it in yours, too, is that you have the slash at the end of the network path.
Instead of processingPath = xxxObject.serverPath + "processing\\"; write: processingPath = xxxObject.serverPath + "processing";
I got into this not very good situation.. When web application starts - I set up different routes for my services so tenants of my multi-user app connect to:
private static void RegisterRoutes()
{
// Setup URL's for each customer
using (var cmc = new CoreModelContext())
{
foreach (var account in cmc.Accounts.Where(aa => aa.IsActive).ToList())
{
RouteTable.Routes.Add(
new ServiceRoute(account.AccountId + "/mobile",
new MyServiceHostFactory(), typeof(MobileService)));
}
}
}
So, when my site/service starts - it grabs all accounts from the database and sets up the routes.
This is a single point of failure right there. Sometimes servers rebooted in wrong order and if SQL Server not started - this service starts in "weird" mode.
Today web service stopped responding. I checked logs - IIS recycled pool as scheduled (default settings) and started different worked process. Something didn't click and boom - server stopped responding. Routes wasn't registered...
So. My question is.. How to fix it best way? I can put routes to config file, but that will mean I have to maintain those id's in 2 places. Probably not that bad but I'd rather do it differently if possible.
Is it possible to to programmatically try and restart pool? What happens when exception thrown in Application_Start ? Right now I'm not trapping it.
Not sure if this is a "fix" but when we've got similar dependency issues, we make sure the other dependencies cannot successfully start in "weird" mode. In this case, I would bring the app down hard if the sql server isn't avaliable, at least in production. Far better to have nothing being processed than have things being processed wrong.
I'm getting this error when I try to start a windows service I've created in C#:
My Code so far:
private ServiceHost host = null;
public RightAccessHost()
{
InitializeComponent();
}
protected override void OnStart(string[] args)
{
host = new ServiceHost(typeof(RightAccessWcf));
host.Open();
}
protected override void OnStop()
{
if (host != null)
host.Close();
host = null;
}
Update #1
I solved the issue above by granting permissions to the account NETWORK SERVICE but now I have an another problem:
Update #2
Service cannot be started. System.InvalidOperationException: Service 'RightAccessManagementWcf.RightAccessWcf' has zero application (non-infrastructure) endpoints. This might be because no configuration file was found for your application, or because no service element matching the service name could be found in the configuration file, or because no endpoints were defined in the service element.
at System.ServiceModel.Description.DispatcherBuilder.EnsureThereAreNonMexEndpoints(ServiceDescription description)
at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
at System.ServiceModel.ServiceHostBase.InitializeRuntime()
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at RightAccessHosting.RightAccessHost.OnStart(String[] args) in C:\Users....
I realize this post is old, but there's no marked solution and I just wanted to throw in how I resolved this.
The first Error 5: Access Denied error was resolved by giving permissions to the output directory to the NETWORK SERVICE account.
The second Started and then stopped error seems to be a generic message when something faulted the service. Check the Event Viewer (specifically the 'Windows Logs > Application') for the real error message.
In my case, it was a bad service configuration setting in app.config.
Computer -> Manage -> Service -> [your service] properties.
Then the the tab with the account information. Play with those settings, like run the service with administrator account or so.
That did it for me.
EDIT:
What also can be the problem is that, most services are run as LOCAL SERVICE or LOCAL SYSTEM accounts. Now when you run C:/my-admin-dir/service.exe with those accounts but they are not allowed to execute anything in that directory, you will get error 5. So locate the executable of the service, RMB the directory -> Properties -> Security and make sure that the account the service is run with, is in the list of users that are alloewd to have full control over the directory.
This worked for me.
Right-click on top-level folder containing the service executable. Go to Properties
Go to "Security" Tab
Click "EDIT"
Click "ADD"
Enter the name "SYSTEM", click OK
Highlight SYSTEM user, and click ALLOW check-box next to "Full control"
Click OK twice
Make sure the Path to executable points to an actual executable (Right click service -> Properties -> General tab).
Via powershell (and sc.exe) you can install a service without pointing it to an actual executable... ahem.
I also got the same error , It resolved by
Right click on Service > Properties >Log On > log on as : Local System Account.
I was getting this error because I misread the accepted answer from here: Create Windows service from executable.
sc.exe create <new_service_name> binPath= "<path_to_the_service_executable>"
For <path_to_service_executable>, I was using the path of the executable's folder, e.g. C:\Folder.
It needs to be the path of the executable, e.g. C:\Folder\Executable.exe.
I got the solution:
1. Go to local service window(where all services found)
2. Just right click on your service name:
3. click on "properties"
4. go to "log on" tab
5. select "local system account"
6. click "ok"
now you can try to start the service.
In my case following was not checked.
if you are a having an access denied error code 5. then probably in your code your service is trying to interact with some files in the system like writing to a log file
open the services properties select log on tab and check option to allow service to interact with the desktop,
For me - the folder from which the service was to run, and the files in it, were encrypted using the Windows "Encrypt" option. Removing that and - voila!
This error happens when there is a error in your OnStart method. You cannot open a host directly in OnStart method because it will not actually open when it is called, but instead it will wait for the control. So you have to use a thread. This is my example.
public partial class Service1 : ServiceBase
{
ServiceHost host;
Thread hostThread;
public Service1()
{
InitializeComponent();
hostThread= new Thread(new ThreadStart(StartHosting));
}
protected override void OnStart(string[] args)
{
hostThread.Start();
}
protected void StartHosting()
{
host = new ServiceHost(typeof(WCFAuth.Service.AuthService));
host.Open();
}
protected override void OnStop()
{
if (host != null)
host.Close();
}
}
I had windows service hosted using OWIN and TopShelf.
I was not able to start it. Same error - "Access denied 5"
I ended up giving all the perms to my bin/Debug.
The issue was still not resolved.
So I had a look in the event logs and it turned out that the Microsoft.Owin.Host.HttpListener was not included in the class library containing the OWIN start up class.
So, please make sure you check the event log to identify the root cause before beginning to get into perms, etc.
In my case, I had to add 'Authenticated Users' in the list of 'Group or User Names' in the folder where the executable was installed.
One of the causes for this error is insufficient permissions (Authenticated Users) in your local folder.
To give permission for 'Authenticated Users'
Open the security tab in properties of your folder, Edit and Add 'Authenticated Users' group and Apply changes.
Once this was done I was able to run services even through network service account (before this I was only able to run with Local system account).
Right click on the service in service.msc and select property.
You will see a folder path under Path to executable like C:\Users\Me\Desktop\project\Tor\Tor\tor.exe
Navigate to C:\Users\Me\Desktop\project\Tor and right click on Tor.
Select property, security, edit and then add.
In the text field enter LOCAL SERVICE, click ok and then check the box FULL CONTROL
Click on add again then enter NETWORK SERVICE, click ok, check the box FULL CONTROL
Then click ok (at the bottom)
Your code may be running in the security context of a user that is not allowed to start a service.
Since you are using WCF, I am guessing that you are in the context of NETWORK SERVICE.
see: http://support.microsoft.com/kb/256299
I have monitored sppsvc.exe using process monitor and found out that it was trying to write to the HKEY_LOCAL_MACHINE\SYSTEM\WPA key. After giving permissions to NETWORK SERVICE on this key, I was able to start the service and Windows suddenly recognized that it was activated again.
Use LocalSystem Account instead of LocalService Account in Service Installer.
You can do this either from doing below change in design view of your service installer:
Properties of Service Process Installer -> Set Account to LocalSystem.
or by doing below change in in designer.cs file of your service installer:
this.serviceProcessInstaller1.Account = System.ServiceProcess.ServiceAccount.LocalSystem;
Have a look at Process Utilities > Process monitor from http://www.sysinternals.com.
This is tool that allows you monitor what a process does. If you monitor this service process, you should see an access denied somewhere, and on what resource the access denied is given.
For the error 5, i did the opposite to the solution above.
"The first Error 5: Access Denied error was resolved by giving permissions to the output directory to the NETWORK SERVICE account."
I changed mine to local account, instead of network service account, and because i was logged in as administrator it worked
If you are getting this error on a server machine try give access to the folder you got the real windows service exe. You should go to the security tab and select the Local Service as user and should give full access. You should do the same for the exe too.
I accidentally set my service to run as Local service solution was to switch to Local System
After banging my had against my desk for a few hours trying to figure this out, somehow my "Main" method got emptied of it's code!
ServiceBase[] ServicesToRun;
ServicesToRun = new ServiceBase[]
{
new DMTestService()
};
ServiceBase.Run(ServicesToRun);
Other solutions I found:
Updating the .NET framework to 4.0
Making sure the service name inside the InitializeComponent() matches the installer service name property
private void InitializeComponent()
...
this.ServiceName = "DMTestService";
And a nice server restart doesn't hurt
Szhlopp
In may case system run out of free space on local disk.
I had this issue today on a service that I was developing, and none of the other suggestions on this question worked. In my case, I had a missing .dll dependency in the folder where the service ran from.
When I added the dependencies, the issue went away.
In my case I kept the project on desktop and to access the desktop we need to add permission to the folder so I simply moved my project folder to C:\ directory now its working like a charm.
I don't know if my answer would make sense to many, but I too faced the same issue and the solution was outrageously simple. All I had to do was to open the program which I used to run the code as an administrator. (right-click --> Run as Administrator).
That was all.
check windows event log for detailed error message. I resolved the same after checking event log.
All other answers talk about permissions issues - which make sense, given that's what the error message refers to.
However, in my case, it was caused by a simple exception in my service code (System.IndexOutOfRangeException, but it could be anything).
Hence, when this error occurs, one should look inside their log and look for exceptions.
I had this issue on a service that I was deploying, and none of the other suggestions on this question worked. In my case, it was because my .config (xml) wasn't valid. I made a copy and paste error when copying from qualif to prod.
SUMMARY: How to configure a web service such that writing to the Event Log is always possible (regardless of caller)?
DETAILS:
I have a web service which writes an entry to the Application Log. I established the event source for this by means of a little console application and I think I understand that part of things. When I test this WS, I see I am successfully writing my entry to the Event log.
The virtual directory which hosts this WS does NOT allow anonymous access and is configured for Integrated Windows Auth only.
I have a web client application that calls this Webservice. When the web client site is configured for Integrated Windows Auth only, calls to the Webservice result in logging as desired.
Yet, if I change the web client site to allow anonymous access then the Webservice attempt to log results in an InvalidOperationException. I ignore it but it would be nice to know how to get logging in the webservice regardless of how it is called. Here is a bit of my code:
public FileService()
{
try
{
if (!EventLog.SourceExists(g_EventSource))
EventLog.CreateEventSource(g_EventSource, g_EventLog);
System.Security.Principal.WindowsIdentity UserIdentityInfo;
UserIdentityInfo = System.Security.Principal.WindowsIdentity.GetCurrent();
string AuthType = UserIdentityInfo.AuthenticationType;
if (AuthType == "Kerberos")
{ engineWSE.Credentials = System.Net.CredentialCache.DefaultCredentials; }
else
{ engineWSE.Credentials = new System.Net.NetworkCredential("u", "p", "domain"); }
EventLog.WriteEntry(g_EventSource,
"Caller: " + UserIdentityInfo.Name +
" AuthType: " + UserIdentityInfo.AuthenticationType,
EventLogEntryType.Information, 1);
}
catch (InvalidOperationException e)
{
// do nothing to ignore: "Cannot open log for source 'myAppSourceName'. You may not have write access."
}
}
The example in the constructor above is sort of contrived for here (I am mainly interested in being able to write out info related to errors in the web service).
I hope there is a way to configure the web service virtual directory (or the code within) so that logging is possible regardless of how it got called.
Network Service is allowed to write to the Event Log, but not create an event source. you could give permissions to HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\ to allow it to create - but if you've already created it at install time, there's no need.
It's possible that it's failing on the SourceExists as well - since that requires enumerating the same registry key. I'd probably just remove the SourceExists/Create check and trust that it's there - if you're anonymous, you can't create it anyway.
You should also check your web.config.
If IIS is set to anonymous and web.config is set to windows / impersonate. Then it will be the anonymous IIS user that is trying to write to the event log.