Window Service In C# (ServiceProcessInsaller) -- Error 5: Access is Denied - c#

I am using Visual Studio 2008 and .NetFramework 3.5.
I developed one windows service application in c# using FileSystemWatcher. The main goal of this project is watch an Folder and need to write the modification status in a text file (FolderWatchLog.txt). That text file appeared on another folder.
In ServiceInstaller I specified the StartType=Manual and in ServiceProcessInstaller I specified Account=LocalSystem property.
The issue is, in my pc (Microsoft Windows XP Professional Version 2002 Service Pack 2), I have 2 users. 1 user has ADMIN permission and the 2nd user has LIMITED permission. I developed this applicaion in ADMIN power user and installed (installutil FolderWath.exe). I can start or stop perfectly. But if I logged in the 2nd user (LIMITED permission user), then I CAN'T start or stop the service. I got the error message Could not start the FolderWatch service on LocalComputer. Error 5: Access is Denied. So, I changed the ServiceProcessInstaller Account property. But at that time I got another error in both ADMIN & LIMITED permission users. That error message was FolderWatchLog.txt Access is Denied.
My requirement is this FolderWatch service need to has full access permission for all type of users.

Related

Access Denied when running Windows Service

I have created a Windows Service using ASP.Net Core 3.x and C#. I started with the new Windows Service template when I built the project. When I run it from my development environment or from a console window it runs fine. When I install it as a Windows Service and attempt to start the service I get an
"Error 5: Access is denied." error.
I tried numerous things which I will outline below to eliminate the error but nothing seemed to work so I downloaded the sample app provided by Microsoft, at sample
Same result...when I run the sample app from within Visual Studio it runs fine, when running as a service I get the Access Denied error.
I am running all of this on my local machine, which I am an admin on.
I originally tried to run it using the default Local System account; got the Access Denied error.
I changed the Log On As to my domain account, the same one I use to log into my local machine which is an admin on this machine; got the same Access Denied error.
My account has the privilege set to run as a service.
The Event Viewer just shows the one message which says "Access Denied", no other messages are created.
I believe the Access Denied error is occurring before the C# code is even executed. What makes me believe this is that I added one line to the very top of the Program.Main.... File.WriteAllText("C:\\temp\\ws.log", $"Test of Worker Service # {DateTime.Now}. Content Root Path: {AppContext.BaseDirectory}");. My account has full access to the temp folder. This file gets created when I run the app from Visual Studio but it does not get created when I run the app as a service.
I have read numerous web sites, include this one and this one. No luck, everything I tried from these sites still produce the Access Denied error.
I have run out of ideas and am hoping someone here can provide me the answer. Thanks!
I found the solution and believe me I feel really stupid!!!
When I installed it as a service I only put the path in "binPath".
sc create WindowsService1 binPath="C:\temp".
Once I actually added the executable to the binPath parameter everything worked.
Changed it to sc create WindowsService1 binPath="C:\temp\WindowsService.exe" and it worked.
I know it is an Id10t error but Microsoft should really provide better messaging for the "sc" command. A message like "Cannot find file specified in the binPath parameter" would have been really helpful. Would have saved me about 6 hours of work.
Thanks everyone for reviewing and replying to this question.

Windows Service - UnauthorizedAccessException Error when Installing Service (C#)

So I am trying to create a service using C# in Visual Studio 2017 and I keep getting an error when I try to install it.
Right now, I don't even have anything in my service, I just want to be able to install the service. I created a new Project in Visual Studio 2017 using the Windows Service (.NET Framework) template under Visual C# > Windows Desktop. I then added the installer via Right Click > Add Installer. For serviceProcessInstaller1, I set the account to LocalSystem. And...that's it!
Now, I try to install it. I open up command prompt (run as administrator) and I do
InstallUtil ServiceTest.exe
Things start off smoothly, but then I get a message:
"An exception occured during the Install phase.
System.UnauthorizedAccessException: Attempted to perform an
unauthorized operation."
What could be generating this message?
I've googled and tried the following things:
Ensure I run command prompt as administrator.
Assign Full Control to
the project folder to my admin account.
Configure permissions to Full
Control for admin account in the security log of regedit.
Log into my
computer as an administrator (rather than regular user) and run it
that way.
Despite these things, I keep getting the same error. What else could I be doing wrong? Would really appreciate some advice!
Note: I am trying to install this service locally on my computer.
Edit: Per request, here are the logs. I named my project "FailedService", by the way, since I can't get it to work!
InstallUtil.InstallLog
Running a transacted installation.
Beginning the Install phase of the installation.
See the contents of the log file for the C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.exe assembly's progress.
The file is located at C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.InstallLog.
An exception occurred during the Install phase.
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
The Rollback phase of the installation is beginning.
See the contents of the log file for the C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.exe assembly's progress.
The file is located at C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.InstallLog.
The Rollback phase completed successfully.
The transacted install has completed.
FailedService.InstallLog
Installing assembly 'C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.exe'.
Affected parameters are:
logtoconsole =
logfile = C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.InstallLog
assemblypath = C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.exe
Installing service Service1...
Creating EventLog source Service1 in log Application...
Rolling back assembly 'C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.exe'.
Affected parameters are:
logtoconsole =
logfile = C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.InstallLog
assemblypath = C:\Users\first.m.last\source\repos\FailedService\FailedService\bin\Debug\FailedService.exe
Restoring event log to previous state for source Service1.
I was FINALLY able to resolve this issue. I was able to get to the bottom of it by using SysInternal's Process Monitor. I opened up the program and had it take logs for InstallUtil.exe. From there, I began to search for any logs that said "Access Denied". As I sorted through them, I noticed something interesting: it was trying to create a registry key, but it kept failing!
So I went into the registry and created a key named "ServiceTest". After that, I ran the InstallUtil command again, and it worked!
If anyone else is having trouble, the solution is to create a key named after your process name in the following location:
HKLM\System\CurrentControlSet\Services\EventLog\Application\
Enter the full path to installUtil & your service binary in an elevated prompt, that could do.

Detecting elevated privileges on Windows Server 2008 or higher

I have an C#, .Net 4.6.1 Windows Forms Application running on Windows Server Platforms (2008 or higher) which requires to be "Run as Administrator". Elevated privileges are required because the application changes User Access Rights on various folders (underneath the IIS Default Web Site Root if that matters).
I have no luck in detecting if the application has been "Run as Administrator". If I start the application normally (that is not as Administrator) the following code
var isAdmin = WindowsIdentity.GetCurrent().Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);
returns true but the code which changes some User Access Rights on a Directory fails with a Insufficient Privileges Error.
If I run the application as administrator the above check also returns true, but the changing of User Access rights works just fine.
Other attempts I have made without success:
Using the GetTokenInformation method inside the advapi32.dll as suggested here
Adding a manifest file to the application where I set the requestedExecutionLevel to requireAdministrator
Thanks in advance for any help.
The following must work (I hope so; I have a Windows client and it's working with me).
var Identity = WindowsIdentity.GetCurrent();
var Principal = new WindowsPrincipal(Identity);
bool IsAdmin = Principal.IsInRole(WindowsBuiltInRole.Administrator);
Try to change the permissions of a known folder and if there is an exception then you know the program has not been run as administrator.

Cannot Start Windows Service in NetworkService account

I have a windows service project implementation that I am trying to install as network service.
process = new ServiceProcessInstaller();
process.Account = ServiceAccount.NetworkService;
however whenever I try to start the service I get :
System error 5 has occurred.
Access is denied.
This comes after running the net start MyService command in the visual studio command prompt which is running as administrator by the way.
Any help on how to get this to work? Thanks.
I would check that the Network Service account has permissions to execute. Steps to check:
In Windows explorer go to the folder containing the binaries of the service
Right-click on the folder > Properties > Security tab > Edit button
Add > "NETWORK SERVICE" > OK
Give it full control (just to test and then reduce permissions till it working)
Your Net Start MyService is probably not running with escalated privileges. Your command requires (I believe) Administrative Privileges.
Update
Not sure why, but your privileges on your service are weird. By default privileges of services should look like:
D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
ADS_RIGHT_DELETE
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_DS_CREATE_CHILD
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_SELF
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_CONTROL_ACCESS
However your's looks like:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DS_CREATE_CHILD
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_SELF
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_CONTROL_ACCESS
I'm not sure exactly how that came to be. Try uninstalling and reinstalling?
You can download SddlParse (google it :) to parse out the Security Descriptor Definition Language.
The "Access denied" message applies to the user trying to start the service, not the account in which the service is run.
Can you start the service from:
the Services Control Panel applet?
an elevated command prompt you started yourself (not from Visual Studio)?

Allowing Access To Outlook Interop In Web Forms Project

I am having a problem with IIS permissions and Microsoft's Outlook 2010 interop assembly using a web forms project.
I created a proof of concept project to make sure I could use Microsoft's Outlook interop assembly in a particular the situation I am tasked with. The demo project worked great and I had no problems. Now I am trying to integrate it into our main project and I am running into an IIS permission issue. I have my web site running in IIS 7 locally. In IIS Manager, I click on Application Pools -> My Web Site -> Advanced Settings. In this window, I have a custom Identity called "fileshare" with a password ("fileshare" was create to secure access to the web site's images, pdf files, etc. on a development network server). I copied the outlook interop assembly into our common shared assemblies folder instead of referencing it from the GAC. I gave the assembly all permissions for IUSER, NETWORK SERVICE, IIS_WPG, ASP.NET and fileshare. I get the following run- time error:
Retrieving the COM class factory for component with CLSID {0006F03A-0000-0000-
C000-000000000046} failed due to the following error: 80070005 Access is denied.
(Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). Description: An unhandled
exception occurred during the execution of the current web request. Please
review the stack trace for more information about the error and where it
originated in the code.
Exception Details: System.UnauthorizedAccessException: Retrieving the COM class
factory for component with CLSID {0006F03A-0000-0000- C000-000000000046} failed
due to the following error: 80070005 Access is denied. (Exception from HRESULT:
0x80070005 (E_ACCESSDENIED)).
ASP.NET is not authorized to access the requested resource. Consider granting
access rights to the resource to the ASP.NET request identity. ASP.NET has a
base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on
IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that
is used if the application is not impersonating. If the application is
impersonating via <identity impersonate="true"/>, the identity will be the
anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose
"Properties" and select the Security tab. Click "Add" to add the appropriate
user or group. Highlight the ASP.NET account, and check the boxes for the
desired access.
I checked the windows event logs and under Windows Logs -> System and I have this error:
The machine-default permission settings do not grant Local Activation permission
for the COM Server application with CLSID {0006F03A-0000-0000-
C000-000000000046} and APPID Unavailable to the user BSoup\fileshare SID
(S-1-5-21-2999627215-1482540357-33300828-1019) from address LocalHost (Using
LRPC). This security permission can be modified using the Component Services
administrative tool.
After doing a bit more research, I've decided that using the interop assembly is a bad choice. As Alexi stated, it's not for use over the network.
Start Internet Information Services (IIS).
Right-click your application's virtual directory, and then click Properties.
Click the Directory Security tab. Under Anonymous access and authentication control, click Edit.
Make sure the Anonymous access check box is not selected and that Integrated Windows authentication is the only selected check box.
Configure ASP.NET to use Windows authentication with impersonation, use the following configuration in WebConfig.
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
</system.web>

Categories

Resources