I have a C# exe that needs to be run using WMI and access a network share. However, when I access the share I get an UnauthorizedAccessException. If I run the exe directly the share is accessible. I am using the same user account in both cases.
There are two parts to my application, a GUI client that runs on a local PC and a backend process that runs on a remote PC. When the client needs to connect to the backend it first launches the remote process using WMI (code reproduced below). The remote process does a number of things including accessing a network share using Directory.GetDirectories() and reports back to the client.
When the remote process is launched automatically by the client using WMI, it cannot access the network share. However, if I connect to the remote machine using Remote Desktop and manually launch the backend process, access to the network share succeeds.
The user specifed in the WMI call and the user logged in for the Remote Desktop session are the same, so the permissions should be the same, shouldn't they?
I see in the MSDN entry for Directory.Exists() it states "The Exists method does not perform network authentication. If you query an existing network share without being pre-authenticated, the Exists method will return false." I assume this is related? How can I ensure the user is authenticated correctly in a WMI session?
ConnectionOptions opts = new ConnectionOptions();
opts.Username = username;
opts.Password = password;
ManagementPath path = new ManagementPath(string.Format("\\\\{0}\\root\\cimv2:Win32_Process", remoteHost));
ManagementScope scope = new ManagementScope(path, opts);
scope.Connect();
ObjectGetOptions getOpts = new ObjectGetOptions();
using (ManagementClass mngClass = new ManagementClass(scope, path, getOpts))
{
ManagementBaseObject inParams = mngClass.GetMethodParameters("Create");
inParams["CommandLine"] = commandLine;
ManagementBaseObject outParams = mngClass.InvokeMethod("Create", inParams, null);
}
Having followed the link suggested by Isalamon above (thanks) I followed Jestro's advice and have rewritten using psexec.exe (which can be downloaded from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) instead of WMI. It feels like a bit of a kludge to do it this way, but it seems to work.
New code for anyone who is experiencing similar problems:
Process proc = new Process();
proc.StartInfo.FileName = "PsExec.exe";
proc.StartInfo.Arguments = string.Format("\\\\{0} -d -u {1}\\{2} -p {3} {4}",
remoteHost,
domain,
username,
password,
commandLine);
proc.StartInfo.CreateNoWindow = true;
proc.StartInfo.UseShellExecute = false;
proc.Start();
WMI just uses impersonation when executing the remote process, which does not give you network access. If you are ok going outside managed code, you can just map a UNC path in the remote process WMI started using whatever credentials you want. Then, you have the network access you want. I use NetUseAdd and NetUseDel from netapi32.dll to map the UNC path. See http://pinvoke.net/ for details on the using the APIs.
I know you've sorted it by using PSEXEC, which is a fantastic program, but if you did want to go back to WMI, have you tried enabling the following in your ConnectionOptions:
The flag EnablePrivileges
setting the Impersonation to ImpersonationLevel.Impersonate
Which does the following:
Gets or sets a value indicating whether user privileges need to be
enabled for the connection operation. This property should only be
used when the operation performed requires a certain user privilege to
be enabled (for example, a machine restart).
http://msdn.microsoft.com/en-us/library/system.management.connectionoptions.enableprivileges.aspx
Gets or sets the COM impersonation level to be used for operations in this connection.
http://msdn.microsoft.com/en-us/library/system.management.connectionoptions.impersonation.aspx
I think they should tell your WMI to actually allow the program to have the correct credentials and thus access your network share
You can write all you commands to batch file to the remote machine which includes net use (no need to use a drive letter) to do an authentication. Works fine that way. I am still working on an alternative.
Related
I have the following function for connecting to a remote client machine and running an executable on it.
I copied it from a response on this site, but don't have the link anymore, so I'm not sure who to give credit to.
public static void ConnectToRemoteClient(string client_machine, string user, string password, string target_exe )
{
var connection = new ConnectionOptions();
// The '.\' is for a local user on the remote machine
// or 'mydomain\user' for a domain user
connection.Username = user;
connection.Password = password;
object[] theProcessToRun = { target_exe };
var wmiScope = new ManagementScope($#"\\{client_machine}\root\cimv2", connection);
wmiScope.Connect();
using (var managementClass = new ManagementClass(wmiScope, new ManagementPath("Win32_Process"), new ObjectGetOptions()))
{
managementClass.InvokeMethod("Create", theProcessToRun );
}
}
It is called using the following syntax:
string exe = string.Format("taskkill.exe {0} {1}", #"/F", #"/PID 8704");
ConnectToRemoteClient("ClientMachine", #"Domain\Username", #"password", exe);
It works just fine for executables that exist on the remote client machine.
However, I want to call an executable from a server, and run it on that remote client machine.
Not sure how best to approach this. I tried feeding it the following:
ConnectToRemoteClient("ClientMachine", #"Domain\User", #"password", #"\\ServerName\MyDir\Myfile.exe");
But it never initiated the executable on the machine. No error messages.
The reason I want to do this, is to save me from having to copy the large executable and supporting files to each client, but rather just run it from the server depot on each remote client.
Do I have to call a CMD window and feed it the \\ServerName\MyDir\Myfile.exe in order to get it to work properly? or is there a way I can make this work?
You are connecting to the remote machine using the passed credentials, but that only establishes your rights to open WMI. The command you then pass to WMI to execute is not running as the credentials you pass in, but under the LocalSystem account credentials.
LocalSystem does not have access to the network share.
To do this you need to remotely execute PSEXEC (https://ss64.com/nt/psexec.html) which allows you to pass the parameters to launch the application as. PSEXEC runs as LocalSystem but allows you to pass credentials to use when it launches your designated application. The launched program will then impersonate the user you pass in, and will have access to the network share.
By using Process.GetProcesses, we can list running processes in a remote computer, e.g.
Process [] allRemoteProcesses = Process.GetProcesses("myRemoteComputer");
However, this seems to depend on the permission of my account. It throws exception "Couldn't connect to remote machine." if the running user does not have access to the remote machine. Can I specify another account to be used by .NET when checking the processes, similar to the -u and -p switches in PsList?
What I've done before is use something similar to what's described in this article.
using (new Impersonator("user", "domain", "pass"))
{
Process[] allRemoteProcesses = Process.GetProcesses("myRemoteComputer");
// Rest of code...
}
An alternative is use to use WMI and query for the processes like what's described here.
For the same problem, turning on the remote registry service in the remote registry worked for me!
I have a Windows service, running using the login localhost\administrator. This service is meant to invoke another executable (MyProcess.exe), which is supposed to write some stuff to a log file. The service uses Process.Start() to create the process, like so:
var p = new Process();
p.StartInfo.FileName = processFileName;
p.StartInfo.Arguments = arg;
p.Start();
Problem is, it appears that MyProcess.exe is being denied rights to write to the log file, even though localhost\administrator unquestionably has rights to the log folder. If I run MyProcess.exe from a command line, it works perfectly.
So, is it possible that the process is being executed using a different user login?
Can you think of any other reason why MyProcess.exe is being denied rights to write the log file?
UPDATE: the log file is being written to the local machine, but using a network address, i.e. \\MyPC\LogFolder. When I change the code to refer to C:\MyFolder, everything works fine. It's obviously having a problem with the network address (even though it's local).
What sharing settings do I need to put on the folder so that the local system account can access the file?
If you are using impersonating, than it impersonates a user that can be the currrent or a specified user. if not it will run under the Local System, with the privileges of the local system.
p.StartInfo.Domain = "UserName";
p.StartInfo.Password = "Passw0rd!";
You can get the username from:
Thread.CurrentPrincipal.Identity.Name
I've worked it out.
The problem, as noted in my update, is that the process was addressing the log folder using a network share address, \\MyPC\LogFolder, and when we switched the configuration so that it wrote instead to c:\Logfolder, it worked fine.
So it seems that when you address a local folder, the localhost\Administrator account is deemed to have sufficient rights. But when you go via the network share, you need to present valid network credentials, and localhost\Administrator just doesn't cut it. If you change to use MYDOMAIN\MyUser, it works even using the network share address.
I want to install a MSI package on a remote computer.
The local and remote computer both are members of a domain called "adn.lan"
and the user/password I pass as parameter to connection has full access to remote machine.
When I set connection.Authority to "ntdlmdomain:adran.lan" the return parameter shows the "Invalid parameter" and when I leave it as null and make it as remarked, the connect() would connect successfully but when it try to install package the return parameter shows that the addressed package is inaccessible.
Here is the code I've tried with.
ConnectionOptions connection = new ConnectionOptions();
//connection.Authority = "ntdlmdomain:adn.lan"; // "kerberos:" + domain + #"\" + machine;
connection.Username = username;
connection.Password = password;
//connection.Impersonation = ImpersonationLevel.Identify ;
connection.Authentication = AuthenticationLevel.Packet;
ManagementScope scope = new ManagementScope("\\\\RemoteMachineName\\root\\CIMV2", connection);
scope.Connect();
ManagementPath p = new ManagementPath("Win32_Product");
ManagementClass classInstance = new ManagementClass(scope, p, null);
ManagementBaseObject inParams = classInstance.GetMethodParameters("Install");
inParams["AllUsers"] = true;
inParams["Options"] = string.Empty;
inParams["PackageLocation"] = "\\\\LocalMachineName\\Share\\Prescription.msi";
ManagementBaseObject outParams = classInstance.InvokeMethod("Install", inParams, null);
string retVal = outParams["ReturnValue"].ToString();
When I set theconnection.Impersonation to Identity the result would be "Access denied".
If I understand your question and followup comment, you found that it would not work when the package path was on a different machine than the target machine (i.e. a UNC path, normally accessible from the target machine). But the installation works when you copy the package to the target machine and pass a local path on the target machine.
I believe the reason for the failure is due to the nature of DCOM impersonation levels.
Impersonate allows you to use the credentials of the caller on the target machine -- but not to connect from the target machine to another machine. To make that second hop using the same credentials requires Delegate level. (Problem is, that has security risks, so all the guidance says "warning warning warning" and everything makes it hard by default.)
When you asked the target machine to access the installation package on a separate network location, that was a "second hop" which would require credentials, but impersonate meant you could only use your credentials on the target machine, not passed from there to the remote file location.
TechNet has a nice summary of the impersonation levels, see Table 6.6 DCOM Impersonation Levels at the top of WMI Security Settings.
p.s. For fun, you might see if there's a way to do it without copying to the target machine. If you could find a way to expose the installation package file to the network in a way that allowed anonymous access, I wonder if that second hop would be allowed since only anonymous credentials were needed? Not sure though. And there might be an awful lot of guessing and testing going on, if you're anything like me : )
i have copied the exe file and it was no problem, useing the following code, but now i want to run it, can anyboyd help me on this.
NOTE: i have the access to servers through remote desktop, but cant do this manually, coz there are dozens of them, cant get a program running on it like psex or whatever.
WindowsIdentity wi = new WindowsIdentity(token);
//Next I set the WindowsImportsonationContext
WindowsImpersonationContext impctx = wi.Impersonate();
System.IO.File.Copy("C:\\output.html", "\\\\PW42\\c$\\output1.html", true);
System.Diagnostics.Process p = new System.Diagnostics.Process();
try
{
System.Diagnostics.Process.Start(#"\\PW42\c$\txt.bat");
//runFile();
}
catch
{
Console.WriteLine("error");
}
Depending on what access you have on the server you can use a program like psexec or using WMI to launch the file remotely.
A sample psexec command would be
psexec \\computername -u remoteusername filepath(on remote computer) arguments
Psexec can copy the file beforehand if requested and can run against a list of computers instead (replacing \\computername with #computer-list.txt). With WMI you need to connect to the Win32_Process class and Create a new object to start it. The second post in this thread could work.
Unfortunately both of these options require multiple firewall rules (like RPC and WMI) to be available from the running workstation. If your company only has RDP access enabled through the firewall, neither of these will probably work.