I tried creating a Windows service in C++ using this code sample on MSDN. I opened the solution file in Visual Studio 2013 as admin. The build was successful. Then I installed the service, as per the description provided with the code sample, from a command prompt opened as administrator. The service is now shown in the Services tool in my system. However, when I try to start the service, I get error 5: Access is denied.
The output of sc qc CppWindowsService is as follows:
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CppWindowsService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\Aaa\Documents\CppWindowsService\C++\Debug\CppWindowsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CppWindowsService Sample Service
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\LocalService
Why does this happen, and how can I fix it?
Because the executable file is in your personal Documents folder, the local service account doesn't have access to it.
The easiest resolution would be to change the permissions on the Debug folder to give SERVICE read and execute access, with inheritance enabled. From the command line:
icacls Debug /grant SERVICE:(OI)(CI)(RX)
(Because Windows does not do traverse checking in the default configuration, you do not need to change the permissions for the parent folders.)
Another option is to copy the executable file to a public location (such as inside Program Files) and install it there, but you then have to remember to manually update the copy each time you recompile.
Edit: yet another option, as you suggest, is to change the account to local system so that the service is running with administrative privileges. Best practice is to run services with the least privilege necessary, but at this stage it doesn't matter much.
The comment provided by #Pumkko helped to solve the issue... The service account was specified as LocalService (#define SERVICE_ACCOUNT L"NTAUTHORITY\\LocalService"). From here:
The Local Service account didn't have permissions to the output .exe
file, and this was why the error was occuring.
I changed the account type to LocalSystem (#define SERVICE_ACCOUNT L"LocalSystem") and now my service can be started.
Thankyou #Pumkko and #Harry Johnston.
Related
I just installed a new WebSphere 8.5.5 ESB on Linux Centos 7.
All installation i did with root user.
Than i did the following steps to create a Web Service:
1) create server with user wasadmin
2) Generate plugin
3) Propagate plugin
In the last step i get the error:
PLGC0049E: The propagation of the plug-in configuration file failed for the Web server. test2lsoa01-02Node01Cell.XXXXXXXXX-node.IHSWebserver.
Error A problem was encountered transferring the designated file. Make sure the file exists and has correct access permissions.
The file /u01/apps/IBM/WebSphere/profiles/ApplicationServerProfile1/config/cells/test2lsoa01-02Node01Cell/nodes/XXXXX-node/servers/IHSWebserver/plugin-cfg.xml exist.
I gave him for test chmod 777 plugin-cfg.xml
Still the error is not going away.
Can someone help?
User wsadmin would be the user attempting to move the file. Ensure that ID can access /u01/apps/IBM/WebSphere/profiles/ApplicationServerProfile1/config/cells/test2lsoa01-02Node01Cell/nodes/XXXXX-node/servers/IHSWebserver/plugin-cfg.xml and there should be a target directory as well (in the webserver installation where plugin-cfg.xml is being moved to). Ensure that wsadmin has write access to this target location if propagating using node sync. If using IHS admin, ensure that the userid/password defined in the web server definition has write access to the target location.
A good test would be to access the source plugin-cfg.xml using wsadmin userid and attempt to manually move the file to the target location with the appropriate ID (based upon use of node sync or IHS admin).
I am trying to install and run ESB and CEP both on the same machine. I have tried to set port offset to 1, to prevent port conflict, but still after running ESB, I am not able to run CEP. The error log in cmd is as bellow:
`C:\Program Files\yajsw-stable-11.03_cep\bat>call setenv.bat
"java" -Xmx30m -Djna_tmpdir="C:\Program Files\yajsw-stable-11.03_cep\bat\/../tmp
" -jar "C:\Program Files\yajsw-stable-11.03_cep\bat\/../wrapper.jar" -t "C:\Program Files\yajsw-stable-11.03_cep\bat\/../conf/wrapper.conf"
YAJSW: yajsw-stable-11.03
OS : Windows 7/6.1/amd64
JVM : Oracle Corporation/1.7.0_75
Dec 20, 2015 11:44:31 AM org.apache.commons.vfs2.VfsLog info
INFO: Using "C:\Users\K5563~1.KHA\AppData\Local\Temp\vfs_cache" as temporary files store.
platform null
************* STARTING "WSO2CARBON_cep" ***********************
Service "WSO2CARBON_cep" NOT started
Press any key to continue . . .`
First : where and how can I find a proper log to figure out what is the problem? As you know, there is nothing in : repository\logs until the program starts to run.
Second : if you have any idea about the probable cause, please let me know.
Additional info : I am using jdk 1.7.0_75, esb 4.9.0, cep 4.0.0, yajsw 11.03, and there was a success message after installation of both esb and cep. I gave them different service names while installing as a windows service, to prevent conflict. Also, I am able to see both of them in windows services list.
Thanks for reading.
To start two carbon servers as windows services please follow the blog post below[1] to overcome this issue. The blog explains how two services can be run as windows services.
Some important areas to consider when setting up two nodes as windows services are :
1.create two folders as 'esb_service' and 'cep_service' and copy the relevant packs into each foldr
2.As shown on[1] please update the esb_home and cep_home on the relevant places within the wrapper.conf replacing the carbon_home which is the default value
3.Make sure that the port offset of one of the two nodes is incremented by one to avoid port conflict.
4.start the two yajsw-stable-11.03 with installService.bat and startService.bat to get the services running
Note: I have tried this scenario using yajsw-stable-11.03 version.
[1]http://blog.lasindu.com/2015/05/how-to-start-two-or-more-wso2-servers.html
Overview
The Process
exe/dll compiled in C++ to be run
Scenario
Log in (win 7) to a standard user account (no admin)
run The Process as admin
The Process opens some app (exe) using ShellExecute
Problem
The app is opened in the scope of the admin user
Expecting
The app is opened in the scope of the standard user
Solutions
1. CreateProcessAsUser
Use CreateProcessAsUser (Assuming I managed to get hToken right that should have solved the issue).
However, I get the call failed with error code 1314 - ERROR_PRIVILEGE_NOT_HELD. Going back to the documentation tells me:
If this function fails with ERROR_PRIVILEGE_NOT_HELD (1314), use the
CreateProcessWithLogonW function instead
So I digged in and found this CreateProcessAsUser Error 1314 which wasn't very helpful.
2. ImpersonateLoggedOnUser
using ImpersonateLoggedOnUser generated the same error code: 1314 - ERROR_PRIVILEGE_NOT_HELD.
3. CreateProcessWithLogonW
CreateProcessWithLogonW requires lpPassword which naturally I don't have
The Question
How can an admin process open an application in the logged in user?
Have you tried using CreateProcessWithTokenW which is mentioned in the CreateProcessWithLogonW documentation? It seems to require a much weaker privilege than CreateProcessAsUser, one you should posses (SE_IMPERSONATE_NAME rather than SE_ASSIGNPRIMARYTOKEN_NAME).
You said you already have a token for the interactive user so I won't go into it.
(Note: Strange bugs have been reported with all of this, including CreateProcessWithTokenW. Don't give up on the first attempt. A bug and a fix for example: why is CreateProcessWithTokenW failing with ERROR_ACCESS_DENIED )
hToken is not a "right". It's a token. What the error says is that you lack a privilege.
Holding a privilege is not a fundamental right! Some privileges are given to certain users by default. Others need to be given through the Local Security Policy (in the "User Right Assignment" node in the MMC snap-in or with LsaAddAccountRights - all of which is documented in the page Assigning Privileges to an Account).
Besides that you sometimes have to enable privileges using AdjustTokenPrivileges. This is documented in the sibling page Changing Privileges in a Token.
Some APIs enable them if you hold them. Others don't and require you to do so yourself. The obvious way to go is to enable a privilege before calling and API that's documented to require it.
The MS Forum link may not have been but the error message is quite clear. MSDN says about the function:
Typically, the process that calls the CreateProcessAsUser
function must have the SE_INCREASE_QUOTA_NAME privilege
and may require the SE_ASSIGNPRIMARYTOKEN_NAME privilege
if the token is not assignable.
and the error is (from the page you linked to!):
ERROR_PRIVILEGE_NOT_HELD
1314 (0x522)
A required privilege is not held by the client.
This is actually a very tricky Task you want to accomplish. There are very strict security policies which make it very difficult.
As far as I know you can do it with psexec. It has a commandline Switch which enables user interaction but running the process as admin. I think your command should look like the following:
psexec \\target-computer -i -s [your command]
Another way to do it is using WMI. But for this you Need to Change the security Settings of the target machine (probably using GPO's). You Need to connect to the target machine using impersonation Level deletgate see here. Additionally as said before, you Need to Change the security Settings. See here
I am tryying my hands on the WSO2 BAM.
I tried to run the examples (“HTTPD Logs Analysis” or “KPI Monitoring Sample”), but I get the following message after creating the toolbox, upon the publishing of data:
java.io.IOException : Cannot run program in “C:\Program” (in directory “C:\wso2bam-2.3.0”): CreateProcess error=2 , The specified file cannot be found.
Any tips on this issue?
Some times in windows 'Programs Files' cause problem due to space in it. Therefore if you have WSO2 BAM distribution within C:\Program Files or you have space in the distribution path some where, please change it to a location without space.
And also check where your java installation is in. That also should be in a location which doesn't have space in the path.
Please check both, that will resolve your problem.
i created a windows service in c++ and when i try start the service i get the message error 5: access denied.
my user account is set to admin and i even tried using the default admin account on the computer and it still doesn't work.
i can install/uninstall the service through the cmd without problems but i can't start the service
the code isn't the problem here its the user account. any suggestions on how to fix this?
"Running a service" is not simply "starting a program on my desktop". It does not necessarily run as "you".
The service is detached from any desktops and it actually ignores your user account. The service will have its own account/password configuration stored in the OS and when you run it, you only order it to start up. It will startup on its own user account. If you have put your .exe/.dll files in some protected folder, and if you have not configured neither the accessrights to that files nor user-pass for the service, then there's great odds that the service tries to run at default service user account like 'LocalService' or 'NetworkService' and that it simply cannot touch the files.
If you installed the service properly, go to ControlPanel - AdministrativeTools - Services, find your service and check the (if I remember well) second tab and verify that the username presented here has access to the files that are tried to be loaded and run. If the username is wrong, correct it. If you don't care about the username, then just peek that name and set accessrights on the folder and/or files such that at least both "read directry contents" and "read" and "execute" are available for that-username-the-service-tries-to-run-as.