Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Need a problem solved (fast)

  • 17-12-2010 6:57pm
    #1
    Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭


    Does anyone know how I can hire a really experienced programmer to do a Windows Service for me?
    Well to be honest it's more a case of modifying an existing service that I have already written but now I have discovered it won't start for a non-administrative user when they are logged off (only happens on Windows 7 OS).
    I can't give hand over the code and ask him/her to solve it for me because it's proprietary software but if I could get a windows service written that does what I want then I could modify mine to do it.
    It's a major problem for me,I've tried everything under the sun but nothing works so I need someone who is a real expert (hopefully in Windows Services programming) to do it for me.
    I have posted on a few of those post-a-project sites but got no replies.
    I am prepared to pay of course but only if the solution does exactly what I want.
    Does anyone know of a site/company that does this kind of thing?
    (quickly and hopefully cheaply)


Comments

  • Registered Users, Registered Users 2 Posts: 171 ✭✭conorcan2


    Did you choose the 'run with highest privleges' option?
    Are you using the Windows Resource center tools http://www.microsoft.com/downloads/en/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en


  • Registered Users, Registered Users 2 Posts: 523 ✭✭✭mwrf


    You can just wrap it with srvany if it's urgent:

    http://support.microsoft.com/kb/137890


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    I think I used that resource kit already and it didn't work. Anyway when I install it it says "This program has known compatibility issues, windows resource kIt Tools have not ben designed or tested with this version of Windows and might not run correctly".
    That's no good to me,I need a reliable solution, not something that "might" be OK. That .exe is just another program that has to be installed anyway, it's teh service that needs to be fixed, not the PC's it is being installed on.
    Don't get me wrong,I appreciate the help but I badly need to get this issue fixed.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Mentioning the appropriate language might help.
    C# / .Net or c++ or Java with one of the service wrappers?

    This request should be moved to the Situations Vacant sticky at the top of the development forum as it doesn't look like you want to contribute anything.

    If one of the c# /c++ options, was the code created using one of the Visual Studio Windows Service templates?

    To make this clear. The service is set to run with credentials of a non-admin user?

    And the non-admin user definitely has the "log-on as a service" right assigned to them? This won't be set by default. If your testing so far has been on developer machines all sorts of permissions could be unusual.

    Control Panel\Admin Tools\Local Security Policy\
    Security Settings\Local Policies\User Rights Assignment\"Log On as a Service"
    The Username has been added in this list?

    There could be all sorts of permissions required, for example a common one is if your program tries to create an EventLog Source at startup time then it'll need permissions.


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    ressem wrote: »
    Mentioning the appropriate language might help.
    C# / .Net or c++ or Java with one of the service wrappers?
    It's C#. I have seen a few service wrappers but none in C# that do what I want (start a service after log off, regardless of who is logged on).
    ressem wrote: »
    This request should be moved to the Situations Vacant sticky at the top of the development forum as it doesn't look like you want to contribute anything.
    I was going to do that but that thread looks more like it is for permanent posisitons?This job is more like a project.
    ressem wrote: »
    If one of the c# /c++ options, was the code created using one of the Visual Studio Windows Service templates?
    I just selected "Windows Service" under "New Project". I added all the classes, installer etc.myself.
    ressem wrote: »
    To make this clear. The service is set to run with credentials of a non-admin user?
    That's what I am trying to do:there doesn't seem to be an option to do that when you create the service though.
    ressem wrote: »
    And the non-admin user definitely has the "log-on as a service" right assigned to them? This won't be set by default. If your testing so far has been on developer machines all sorts of permissions could be unusual.
    I want the service to be started regardless of whether the user has "log-on as a service" right assigned to them or not. The service is going to be installed on hundreds of computers on several different domains.
    There could be situations where it is installed on a PC and the logged on user hase very restricted rights (e.g. they not even have the right to create a folder on the C drive, never mind start a service).
    I have tested this by going into a dos window and typing "net start "[Servicename]". It gives me "access denied".
    ressem wrote: »
    Control Panel\Admin Tools\Local Security Policy\
    Security Settings\Local Policies\User Rights Assignment\"Log On as a Service"
    The Username has been added in this list?
    This service will be installed on Windows 7 Home Premium OS which does not have the local policies option available.
    ressem wrote: »

    There could be all sorts of permissions required, for example a common one is if your program tries to create an EventLog Source at startup time then it'll need permissions.

    I agree. this is why I need to be able to start it with the least priveleges.
    I don't know what the permissions of every user who uses the machine will be


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 459 ✭✭CSU


    forgetting about what users are logged on or off - what account is the service itself configured to run under, local system account, network services (services.msc/service_name/properties/log on as???


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    CSU wrote: »
    forgetting about what users are logged on or off - what account is the service itself configured to run under, local system account, network services (services.msc/service_name/properties/log on as???
    Network service,but the PC's it is going to be installed on could be used as "log on to this computer" or to a domain.
    I can't change this programmatically acording to who is using it at the time. It's set at the time of install.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    So it is running as Network service.

    At install time you want the installer to set the ACL saying who (e.g a user group like "domain users" or "Users" ) can start or stop the service.

    So you need the installer to do the equivalent of...

    Install subinacl from the resource kit.

    subinacl /service MYSERVICE /GRANT=MYcomputer\USERS=TO

    F : Full Control
    R : Generic Read
    W : Generic Write
    X : Generic eXecute
    L : Read controL
    Q : Query Service Configuration
    S : Query Service Status
    E : Enumerate Dependent Services
    C : Service Change Configuration
    T : Start Service
    O : Stop Service
    P : Pause/Continue Service
    I : Interrogate Service
    U : Service User-Defined Control Commands

    You might need a simple GUI to list whether domain users or local computer users is appropriate and edit the string as appropriate.

    http://support.microsoft.com/kb/288129


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    If so...

    sc sdset <servicename> <long security descriptor string>

    Microsoft best practice docs on the topic.
    http://support.microsoft.com/kb/914392/
    Allow/Deny;;String of permissions;;;SID or acronym for built-in account or group
    A;;LCWPRP;;;BU
    A for allow;; LC (query state), Wp (Start), RP (stop) ;;; BU ( Builtin-users)

    Or maybe AU for authenticated users might be better.
    Might want to experiment with this in an expendable virtual machine.

    sc sdshow myservicename

    will give you the current values. You'll need to append your additions to the existing values.


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    ressem wrote: »
    At install time you want the installer to set the ACL saying who (e.g a user group like "domain users" or "Users" ) can start or stop the service.

    Yep, already tried hardcoding that into the installer. It didn't work because I was installing it from a non-administrative user account and Windows 7 will not allow you to modify the ACL of a service if you are not an admin on the machine. In fact none of the sc commands will work if you are not an admin on the PC
    I am actually an Administrator on my own Windows 7 PC yet when I open a DOS window and go "sc start [Servicename]" it gives me "access denied". If I right-click on the Dos comamnd and select "Run as Administrator" (after clcking Yes to the prompt) it works OK then.
    I didn't mention that in my first post as if I was to list all the stuff I tried it would be on long post!
    In practise, the person who is installing the application may not have admin rights on the PC so any calls to sc in the code will fail.
    I'm not trying to pick holes in your suggestions, I appreciate your replies.
    I have seen code that allows you to start a service if an ip address changes or a USB device is attached (http://www.codeproject.com/KB/cs/Trigger_Start_Service.aspx) and I tried to change it to make it start for a log off event but I couldn't get it to work.
    Maybe I didn't try hard enough, I could try it again.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Windows 7 has triggers that can start a service but uses sc again (or registry editing, which requires elevation.)

    So to summarize for those that don't want to read all my rubbish above.

    The service is
    1) Written in c#, installs using System.Configuration.Install?
    2) Must be installable by a non-elevated user.
    3) The service itself runs as "NetworkService"
    4) Any non-elevated (authenticated?) user must be able to start / stop the service.

    From your earlier threads, you've tried using scheduled tasks to start the service, but hasn't worked (because the user hasn't the correct permissions set by sc).
    It won't do to set the service to auto-start at computer boot time and have it sleep rather than stop?

    Think I'll bow out here. As far as I know it's not a problem with the service you've written; but with wanting to set registry flags without sufficient privilege.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Ok, back again. Fecking ocd.

    Non programming related.
    Why does it need to be installed with such low permissions. Step 2.
    In a home environment, the permissions will usually be available.
    You create your signed application manifest, provide your elevation prompt, use shellex to run sc and it appears like any other competently written program.

    If it's an authorised app in a corporate environment, an admin should be able to wrap it up in a deploy package with the necessary credentials built-in. Including a tool to help the novice domain admins do this might be easier than trying to bypass registry permissions.
    If not authorised there's some chance that they'll use group policy to stop it from running anyways.


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    ressem wrote: »
    Ok, back again. Fecking ocd.

    Non programming related.
    Why does it need to be installed with such low permissions.
    It doesn't need to be; it may be. When this application is installed, I don't know who is going to be installing it, it may be someone with admin rights on the PC, it might not be. If I put something in the installation code that runs the sc command to change the descriptor string and the person who is installing it does not have admin rights, it wont work.
    ressem wrote: »
    In a home environment, the permissions will usually be available.
    You create your signed application manifest, provide your elevation prompt, use shellex to run sc and it appears like any other competently written program.
    Elevation prompt is no good, that would be completley unworkable if everytime a person logs off they have to enter a username and password to start the service.
    I will try that sc command again, I can actually disable UAC with a batch file but it won't work when I embed it in the code.
    I don't like putting anything in a program that messes with Windows settings though


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    I have a batch file that disables UAC. I can run it from a command prompt (just double-clicking on "C:\DisableUAC.bat") and it works but when I hard-code this into a program (using System.Process.start) it doesn't work.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    http://victorhurdugaci.com/using-uac-with-c-part-1/
    In Vista even if your user is part of the Administrators group it runs with reduced privileges by default and gains his full rights on demand.

    In the installer
        ProcessStartInfo processInfo = new ProcessStartInfo();
        processInfo.Verb = "runas";
        processInfo.FileName = "sc.exe";
        processInfo.Arguments = " sdset myservicename < the long security descriptor string>";
        Process.Start(processInfo);
    

    Note the runas verb which kicks off the UAC prompt during the installer when the process requiring elevation is started.


  • Registered Users, Registered Users 2 Posts: 2,781 ✭✭✭amen


    sorry but if you are running this in a manged domain why not talk to your network services group ? MS have tools that allow you to install services silently on a users pc either overnight, next logon or next reboot.

    I'm sure you could use this.


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    amen wrote: »
    sorry but if you are running this in a manged domain why not talk to your network services group ? MS have tools that allow you to install services silently on a users pc either overnight, next logon or next reboot.

    I'm sure you could use this.

    Installing it is only part of the problem. Once the service is installed it must be allowed to be started by anyone, regardless of rights. I have spoken to an expert and apparently this is not possible under Win 7 or Vista.
    An application cannot send control codes to a service (specifically start and stop) if you don't have admin rights.

    ressem, the "runas" prompt is a non-starter in this app.


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    lukin wrote: »
    Installing it is only part of the problem. Once the service is installed it must be allowed to be started by anyone, regardless of rights. I have spoken to an expert and apparently this is not possible under Win 7 or Vista.
    An application cannot send control codes to a service (specifically start and stop) if you don't have admin rights.

    ressem, the "runas" prompt is a non-starter in this app.
    Yeah we also have similar problems at work I think with permissions


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    Webmonkey wrote: »
    Yeah we also have similar problems at work I think with permissions

    It's driving me absolutely nuts, I think I will have to give up on the idea of a service completely and do what I want to do as a separate .exe.
    Maybe that won't run either once a user logs off. Is there anything that runs under Win 7 when it is in logoff state?


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    lukin wrote: »
    I have spoken to an expert and apparently this is not possible under Win 7 or Vista.
    An application cannot send control codes to a service (specifically start and stop) if you don't have admin rights.

    That is just false.
    An admin has to, as a one-off around install time, use sc to grant the permission to control the service.
    After that a standard user or application running as a user can stop and start a service. I tested it just there. No elevation needed.
    Created standard local account 'mytempaccount' pass BadLogin
    
    >sc query
    
    MySQL looks convenient
    
    >sc sdshow mysql
    
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
    
    Run an elevated command prompt. (In Search window "cmd" follow by Ctrl+Shift+enter)
    
    As elevated User Prompt>sc sdset MySQl D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCS
    WLOCRRC;;;SU)(A;;LCWPRP;;;BU)
    [SC] SetServiceObjectSecurity SUCCESS
    
    >runas /User:mytempaccount cmd
    Enter the password for mytempaccount:
    Attempting to start cmd as user "MYCOMPUTER\mytempaccount" ...
    
    mytempaccount Prompt>net stop mysql
    The MySQL service is stopping....
    The MySQL service was stopped successfully.
    
    
    So that bit is fine. Stopping and starting this service as a standard user.

    Now to place controls in a c# windows app.
    using System;
    using System.ServiceProcess;
    
    namespace ToggleMysqlServiceStatus
    {
        class AppMain
        {
            static void Main()
            {
                StartService("MySQL", 5000);
                return;
            }
    
            public static void StartService(string serviceName, int timeoutLengthInMilliseconds)
            {
                ServiceController service = new ServiceController(serviceName);
                try
                {
                    TimeSpan timeout = TimeSpan.FromMilliseconds(timeoutLengthInMilliseconds);
                    service.Start();
                    service.WaitForStatus(ServiceControllerStatus.Running, timeout);
                }
                catch
                {
                   
                }
            }
        }
    }
    

    Logoff. Log on as standard user. Net Stop MySql (which succeeds without hassle or elevation.)
    ToggleMysqlServiceStatus.exe

    Net Start MySql
    MySql is already running.
    Log-in as admin. Check event log. MySql did indeed stop and restart.

    Of course if you want to use a scheduled task to stop and start the service then the user needs logon as batch job rights, which it won't have by default.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    ressem wrote: »
    As elevated User Prompt>sc sdset MySQl D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCS
    WLOCRRC;;;SU)(A;;LCWPRP;;;BU)
    [SC] SetServiceObjectSecurity SUCCESS
    
    


    That actually works but the problem remains that I can't do it programmatically;I can only run that dos command from an elevated prompt so someone has to be physically on the pc and right-click on the dos window and click "yes" to the prompt.
    In practise this application will be installed on a lot of PCs by non-computer literate people who crucially may not have admin rights on the pc.
    (It may also eventually be installed from a central location by System Center Configuration Manager).
    I need to be able to package the above step into an installer.
    Thanks for getting me this far, I just now need to be able to get rid of the "runas" prompt.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Can you try adding the code as listed in post #16 into an empty class?

    You don't have to click on a dos window. When you use runas in this manner you get the classic UAC screen fadeout + prompt "Do you want to allow the following program from an unknown publisher to make changes to your computer", like any installer. A command window will appear to display the results for a fraction of a second which can probably be hidden with further research.

    If the app is deployed is ClickOnce / MSI form then create your application manifest and add requestedExecutionLevel attribute to asInvoker.
    Since you're installing a servicem you'll be using MSI /Windows Installer.


    So using sccm, the installer will have permissions to install to the machine and UAC will not be triggered.

    For users that are don't have permission to do an elevated install, my view would be 'tough'. Only short-lived exploits should let you bypass this.

    I'm loath to throw another distraction at you but http://www.advancedinstaller.com/ might help with creating a compliant installer for you.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Or if you need to, you can use pInvoke to call the necessary win32 API in unmanaged code, which may cause it's own issues.

    http://www.pinvoke.net/default.aspx/advapi32/QueryServiceObjectSecurity.html?diff=y


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    ressem wrote: »
    Can you try adding the code as listed in post #16 into an empty class?
    No, the code in post #16 is called from an eventhandler in main ("SystemEvents_SessionEnded")

    ressem wrote: »
    For users that are don't have permission to do an elevated install, my view would be 'tough'. Only short-lived exploits should let you bypass this.

    Anyone who installs the app will have to have admin rights on the PC so.


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    I think I have it now. I placed the code in post #16 into the after install event of the service installer. It then allows any user to start the service regardless of privelege level.
    After installation it displays a dos window briefly but does not ask me for an admin password. Also, Win 7 seems to have that sc command built in, I didn't need to install the resource toolkit.
    It seems to be OK, I need to install the app on a completley new Windows 7 PC to be on the safe side as I have only tried it with one that had it installed before.
    Thanks to ressem for his/her help.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    sc.exe should be on windows installs from Windows XP inclusive.


  • Registered Users, Registered Users 2 Posts: 4,113 ✭✭✭lukin


    ressem wrote: »
    sc.exe should be on windows installs from Windows XP inclusive.

    It will only ever be installed on WinXP upwards anyway so I should be OK. Thanks again.


Advertisement