I'm attempting to use qWAVE (on Windows Server 2008 R2) to set arbitrary DSCP values on socket traffic. I think I'm setting up the flow correctly, but when I try to call QOSSetFlow(), I'm getting an ERROR_ACCESS_DENIED error ("The calling application does not have sufficient privileges for the requested operation."). The user that's running this code is a member of the Administrators group, and I've looked through the various security policies but didn't see anything that looked relevant. Does anyone know what permission I need to give the user to get this API to work?
Thanks!
UPDATE: I've got a test program that just tries to set the DSCP values, and when I check "Run as Administrator" under the Compatibility menu everything works fine. So the code is okay, and the Administrator User has the necessary permissions. Unfortunately the actual service can't be run as the Administrator User. Is there a way to give the Administrators Group (or a specific user) some of the permissions that the Administrator User has?
Related
I have problem signing into Microsoft account from my local account on my machine. This used to be my work laptop I have bought it after I left company. I could sign in on my domain user without any problems. Since I left domain I lost this account.
I am trying to "Sign in with Microsoft account instead" option in Accounts->Your info. After I enter my Microsoft account credentials and insert my local user password I get message "Oops something went wrong. Whatever happen it was probably our fault". Good one Microsoft.
Also similarly when I try to add account to Calendar app I end up with same problem, but here I got more information: "You will need the internet for this. It doesn't look like you're connected to the internet. Check your connection and try again. 0x800704cf". This led me to check Network troubleshooter and this error came up:
Your computer appears to be correctly configured, but the device or
resource (www.microsoft.com) is not responding
Contact your network administrator or Internet service provider (ISP)
Completed Windows can't communicate with the device or resource
(www.microsoft.com). The computer or service you are trying to reach
might be temporarily unavailable.
I have tried many ways how to fix this. (Flush DNS, reboot router etc..), but I am pretty sure that my problem is not with my internet connection. It works perfectly fine, also note that I was able to check this with 2 internet providers with same result. Also another thing is, that this works perfectly fine with other devices in our household.
For me it looks like system don't see microsoft.com. Only thing I am able to work with is One drive.
I am pretty sure I would be able to fix this by resetting Windows 10, but I don't want to loose my installed programs (and licenses).
Any advice will be appreciated. I really ran out of options.
After doing many many thing, only thing that helped was resetting PC. It always does help.
so i was following this tutorial http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948
and i was having problems starting the service in the Service Management Console. I was getting the error message 'windows cannot start the service on local computer error 5 access is denied'
but i found that in the properties of the service i'm trying to start if i go to Log On tab and click Local System account instead of this account it works.
I just want to know what actually happened here? and does it affect the service in any way?
You have changed the account that is running the service. This may have a lot of implications most importantly involving permissions. It is always important from security standpoint to limit the permissions a service has.
Also a user needs to have some permissions to be able to run a service(for instance Log on as a service). These can be set in Local Security Policy->User Rights Assignment(this may vary depending on the windows you are running on). The user you try to run the service with seems not to have enough permissions to run your service. Try to investigate why is that.
I need the ability in C++ code to logoff the console user when call from an administrator process or if it is called by that user and maybe a windows service in the future. The issue I am running into is that ExitWindowsEx will only logoff the user that calls it. If an administrator process calls a logoff the console user is unaffected. The only application that I know of that can do this is psShutdown.exe, except that psShutdown can only be run by the administrator. Does anyone know in C++ how to identify the console user and then do a logoff against that user? What is the magic inside psShutdown? I'm looking for something that works in WindowsXP and up. Also I cannot use WMI because some machines are running windows Embeded and do not have WMI.
(The reason psShutdown.exe must be run as administrator is because it installs a service and a normal user does not have the rights to do this.)
Use WTSGetActiveConsoleSessionId to identify the console session, but to go further you are going to need some permissions, you would have to call WTSQueryUserToken (You need to run as SYSTEM to do this) to get a token handle and then CreateProcessAsUser or impersonate and call ExitWindowsEx, or if you are not in a service, call WTSLogoffSession. (I tried calling WTSLogoffSession on my XP box and it did not work, probably because the terminal server service is not running on this system)
I have never actually done this, but it seems like it should be possible with the combination of WTSGetActiveConsoleSessionId() and WTSLogoffSession()
I'm doing some crazy impersonation stuff to get around UAC dialogs in Windows 7 so the user does not have to interact with the UI (I have the admin creds of course).
I have a process running as the Administrator and elevated past UAC. The issue that I'm facing is that when I make a call to WNetAddConnection2, within this process, I am not getting a new mapped net drive. The function returns ERROR_SUCCESS but no net drive is visible. We have another method of adding network drives using 'subst' but this, again, returns successful does does not add a net drive. I have tried to use the default user (which is the Administrator because of process's security context) and I have tried using specific user credentials. I can map the drive just fine through Explorer.
Of course the same functionality works fine in XP/2003. I haven't got around to testing on Vista because of issues with impersonation that are limiting my ability to spin up the process. Are there unique Windows 7 limits on this function? MSDN does not glean any that I can find.
Any help would be greatly appreciated!
The issue was that the process was running as Administrator. Impersonation will not work because WNetAddConnection2 evaluates on processes user. You must start a separate process to accomplish this.
Are there any alternatives to LogonUser and for impersonating given account in order to access network resources? I'm looking for the method of impersonation which would let me connect to machine in foreign domains (or, workgroup machines for the same matter).
For initial data I have: machine name, username (or domain\username), cleartext password.
I know there's a way to establish connection using WNetAddConnection to a \\machinename\ipc$, then most network functions will run in a context of that account, however win2008 added another twist and some functions still use the account, that thread is running under.
I'm also aware, that there's some way to get an impersonation token using SSPI. Have anyone experimented with those tokens, are they good for accessing shares, SCM, remote registry and stuff? Is is what WNetAddConnection is using?
EDIT: To clarify, the reason I cannot use LogonUser is because I need to impersonate user in a non-trusted domain or workgroup
EDIT2: Another clarification: the item I'm trying to implement is similar to psexec, e.g.:
program should not modify host or active directory configuration (e.g.: create temporary local users, etc). Moreover assumption cannot be made that it is running on DC or not
there can be no assumptions made about which software is pre-installed on the remote host, only condition given is that windows file sharing is enabled on target
Account/password is known to be working on target, but target machine may be in local domain, foreign domain, not in domain at all.
EDIT3: I would really love to hear more about SSPI InitializeSecurityContext / AcquireCredentialsHandle option. Is there anybody who has been working with this API extensively? Is it possible to use the tokens returned with impersonation, so that a thread can access network shares and copy files, etc? Can someone post a working code snippet?
EDIT4: Thanks to Marsh Ray, problem got resolved. If anyone is looking to see the proof-of-concept code, it is here
If you're wanting to "access network resources" outside of your forest, do that with WNetAddConnection2/3 as you mentioned, or use the standard RPC APIs with RPC_ C__ AUTHN__ GSS__ NEGOTIATE and and explicit credentials structure.
Normally, "impersonation" is something that happens on the server side. The server side will be able to impersonate the connection as the account you're connecting as.
But the key is this: impersonation only makes sense for impersonating an account the server can access in his local SAM/domain/forest directory. If the client and server are in different forests, they clearly can't agree on the SID of an account for an impersonation token (except for the case of well-known SIDs like Administrator which serve mainly to confuse this kind of thing), and that seems necessary to check against DACLs etc.
Perhaps what you want is to call LogonUserEx with the LOGON32__ LOGON__ NEW__ CREDENTIALS flag. This should succeed (even in a different forest - it doesn't actually authenticate the credentials you give it) giving you a token with the username/password you specified. You may have to use DuplicateToken to turn this into an impersonation token. Then you can use SetThreadToken to replace the token on your thread.
IMHO this isn't really "impersonation", you're just using the credentials outright, but it allows you to access network resources transparently as the arbitrary username/password you supply.
Edit: Oh yeah, be aware that there is no protection against man-in-the-middle on this type of connection. The client especially cannot strongly authenticate the server (short of heroics like IPSEC), so in theory you can't trust anything the server tells you.
The theory goes that you pass the credentials as a SEC_WINNT_AUTH_IDENTITY structure to the AcquireCredentialsHandle function that creates the handle used in InitializeSecurityContext. I never tried this on foreign domains though and I don't know if it works.
Doing this directly and reliably via the Windows API seems next to impossible, plus Windows does so much work behind the scenes to make network access "just work". Plus the impersonation side of things only works for the single thread that called the APIs.
But... you can run a whole program under a different user... such as when you run a service.
So you could edit the registry in your main program to run various services under different security tokens and use IPC/Sockets to communicate with those processes from your main application. ie. a whole bunch (or restarting and reconfiguring the same process) of helper processes running under the different user(s) which your main app abuses.
I realize this is a hack but it seems viable ;)
You could open a command line, map the drive using the plaintext username and password. Then disconnect the drive:
net use m: \\machinename\share password /user:username
... do stuff ...
net use m: /delete
http://technet.microsoft.com/en-us/library/cc756153(WS.10).aspx