|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Service, Requested registry access is not allowedYes I know there are a zillion threads about the security exception
"Requested registry access is not allowed" but I feel I went by the book and it still does not work. I've written a Windows service using the Service Template in VSC#. The Service needs to write to a customized eventlog. I also included a Setup&deployment project and added an installer to the service project installing the Eventlog. After the installer runs succesfully the Eventlog entry is available in the Registry. The services however cannot write entries to this eventlog, throwing the exception mentioned. So the installer is run under Admin priv's and therefor can create the eventlog. The service run under LocalSystem, LocalService, or NetworkService account cannot add to this eventlog. What is wrong here? Well basically I lied. I did not have the service logon as LocalSystem. With
LocalSystem everything seems to work just fine. :-) So just a helpful hint to all service developers out there. If you plan to write to the (customized) eventlog make sure the service is designed to run under LocalSystem account. In that case you don't even need the installer. Show quoteHide quote "theking2" wrote: > Yes I know there are a zillion threads about the security exception > "Requested registry access is not allowed" but I feel I went by the book and > it still does not work. > > I've written a Windows service using the Service Template in VSC#. The > Service needs to write to a customized eventlog. I also included a > Setup&deployment project and added an installer to the service project > installing the Eventlog. After the installer runs succesfully the Eventlog > entry is available in the Registry. The services however cannot write entries > to this eventlog, throwing the exception mentioned. > So the installer is run under Admin priv's and therefor can create the > eventlog. The service run under LocalSystem, LocalService, or NetworkService > account cannot add to this eventlog. What is wrong here? Actually, this isn't true. I have several .NET-based Windows services that
write to a custom event log and work fun running under Network Service. Running with escalated privileges under the local System account is a bad idea and something you should avoid if possible. I'd suggest figuring out if this is an NT ACLs issue or something weird in ..NET that is causing the problem. Regmon and Filemon from Sysinternals can quickly determine the former for you. Just look for an access denied message when your service tries to write to the event source. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "theking2" <theki***@discussions.microsoft.com> wrote in message news:089E07B1-D88A-43FB-9340-E10A02B21EA4@microsoft.com... > Well basically I lied. I did not have the service logon as LocalSystem. > With > LocalSystem everything seems to work just fine. :-) So just a helpful hint > to > all service developers out there. If you plan to write to the (customized) > eventlog make sure the service is designed to run under LocalSystem > account. > In that case you don't even need the installer. > > "theking2" wrote: > >> Yes I know there are a zillion threads about the security exception >> "Requested registry access is not allowed" but I feel I went by the book >> and >> it still does not work. >> >> I've written a Windows service using the Service Template in VSC#. The >> Service needs to write to a customized eventlog. I also included a >> Setup&deployment project and added an installer to the service project >> installing the Eventlog. After the installer runs succesfully the >> Eventlog >> entry is available in the Registry. The services however cannot write >> entries >> to this eventlog, throwing the exception mentioned. >> So the installer is run under Admin priv's and therefor can create the >> eventlog. The service run under LocalSystem, LocalService, or >> NetworkService >> account cannot add to this eventlog. What is wrong here? I agree, Joe, it is not a great idea to elevate rights to circumvent access
rights issues. Therefor I had included an installer to setup the requered eventlog assuming that the user installing the service has appropriate rights. The service and eventlogs are installed still the service when ran under "NetworkServices" throws the exception at the first WriteEntry which also happens to be in the OnStart event. The Key that defies opening is "HKLM\SYSTEM\CurentControlSet\Services\EventLog\Security". Which is performed directly after accessing "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Auto Recharge Service". I'm not sure what the eventLog instance does with the Security or Application key as AutLog for the service is switch off (false). All code related to setting up the eventlog instance is VS generated. Either this generation is wrong (as in "contains a bug") the .NET Framework performs some incompatible updates or there is a setting I've overlooked. -- Show quoteHide quoteIt is not a good omen when gold-fish commit suicide. "Joe Kaplan (MVP - ADSI)" wrote: > Actually, this isn't true. I have several .NET-based Windows services that > write to a custom event log and work fun running under Network Service. > Running with escalated privileges under the local System account is a bad > idea and something you should avoid if possible. > > I'd suggest figuring out if this is an NT ACLs issue or something weird in > ..NET that is causing the problem. Regmon and Filemon from Sysinternals can > quickly determine the former for you. Just look for an access denied > message when your service tries to write to the event source. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "theking2" <theki***@discussions.microsoft.com> wrote in message > news:089E07B1-D88A-43FB-9340-E10A02B21EA4@microsoft.com... > > Well basically I lied. I did not have the service logon as LocalSystem. > > With > > LocalSystem everything seems to work just fine. :-) So just a helpful hint > > to > > all service developers out there. If you plan to write to the (customized) > > eventlog make sure the service is designed to run under LocalSystem > > account. > > In that case you don't even need the installer. > > > > "theking2" wrote: > > > >> Yes I know there are a zillion threads about the security exception > >> "Requested registry access is not allowed" but I feel I went by the book > >> and > >> it still does not work. > >> > >> I've written a Windows service using the Service Template in VSC#. The > >> Service needs to write to a customized eventlog. I also included a > >> Setup&deployment project and added an installer to the service project > >> installing the Eventlog. After the installer runs succesfully the > >> Eventlog > >> entry is available in the Registry. The services however cannot write > >> entries > >> to this eventlog, throwing the exception mentioned. > >> So the installer is run under Admin priv's and therefor can create the > >> eventlog. The service run under LocalSystem, LocalService, or > >> NetworkService > >> account cannot add to this eventlog. What is wrong here? > > > Did you check regmon and filemon to see if there was an access denied error
generated like I suggested? This might help determine the root cause of the problem. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "theking2" <theki***@discussions.microsoft.com> wrote in message news:578A9968-1561-491B-8EBF-D132165A2F2B@microsoft.com... >I agree, Joe, it is not a great idea to elevate rights to circumvent access > rights issues. Therefor I had included an installer to setup the requered > eventlog assuming that the user installing the service has appropriate > rights. The service and eventlogs are installed still the service when ran > under "NetworkServices" throws the exception at the first WriteEntry which > also happens to be in the OnStart event. > > The Key that defies opening is > "HKLM\SYSTEM\CurentControlSet\Services\EventLog\Security". Which is > performed > directly after accessing > "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Auto Recharge > Service". > > I'm not sure what the eventLog instance does with the Security or > Application key as AutLog for the service is switch off (false). All code > related to setting up the eventlog instance is VS generated. Either this > generation is wrong (as in "contains a bug") the .NET Framework performs > some > incompatible updates or there is a setting I've overlooked. > If your event log source is not registered, or if it is registered against a
log with a name greater than "Security" (in alphabetical order), versions 1.x of the .NET Framework will throw an exception when they attempt to determine if the source is registered under the Security log when running under an account that does not have permissions to the corresponding registry key. If your source should be registered under the Application log, the throwing of this exception would be a pretty clear indicator that your source is not registered. Show quoteHide quote "theking2" <theki***@discussions.microsoft.com> wrote in message news:578A9968-1561-491B-8EBF-D132165A2F2B@microsoft.com... >I agree, Joe, it is not a great idea to elevate rights to circumvent access > rights issues. Therefor I had included an installer to setup the requered > eventlog assuming that the user installing the service has appropriate > rights. The service and eventlogs are installed still the service when ran > under "NetworkServices" throws the exception at the first WriteEntry which > also happens to be in the OnStart event. > > The Key that defies opening is > "HKLM\SYSTEM\CurentControlSet\Services\EventLog\Security". Which is > performed > directly after accessing > "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Auto Recharge > Service". > > I'm not sure what the eventLog instance does with the Security or > Application key as AutLog for the service is switch off (false). All code > related to setting up the eventlog instance is VS generated. Either this > generation is wrong (as in "contains a bug") the .NET Framework performs > some > incompatible updates or there is a setting I've overlooked. > > > > -- > It is not a good omen when gold-fish commit suicide. > > > "Joe Kaplan (MVP - ADSI)" wrote: > >> Actually, this isn't true. I have several .NET-based Windows services >> that >> write to a custom event log and work fun running under Network Service. >> Running with escalated privileges under the local System account is a bad >> idea and something you should avoid if possible. >> >> I'd suggest figuring out if this is an NT ACLs issue or something weird >> in >> ..NET that is causing the problem. Regmon and Filemon from Sysinternals >> can >> quickly determine the former for you. Just look for an access denied >> message when your service tries to write to the event source. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "theking2" <theki***@discussions.microsoft.com> wrote in message >> news:089E07B1-D88A-43FB-9340-E10A02B21EA4@microsoft.com... >> > Well basically I lied. I did not have the service logon as LocalSystem. >> > With >> > LocalSystem everything seems to work just fine. :-) So just a helpful >> > hint >> > to >> > all service developers out there. If you plan to write to the >> > (customized) >> > eventlog make sure the service is designed to run under LocalSystem >> > account. >> > In that case you don't even need the installer. >> > >> > "theking2" wrote: >> > >> >> Yes I know there are a zillion threads about the security exception >> >> "Requested registry access is not allowed" but I feel I went by the >> >> book >> >> and >> >> it still does not work. >> >> >> >> I've written a Windows service using the Service Template in VSC#. The >> >> Service needs to write to a customized eventlog. I also included a >> >> Setup&deployment project and added an installer to the service project >> >> installing the Eventlog. After the installer runs succesfully the >> >> Eventlog >> >> entry is available in the Registry. The services however cannot write >> >> entries >> >> to this eventlog, throwing the exception mentioned. >> >> So the installer is run under Admin priv's and therefor can create the >> >> eventlog. The service run under LocalSystem, LocalService, or >> >> NetworkService >> >> account cannot add to this eventlog. What is wrong here? >> >> >> 
Other interesting topics
Windows authentication over remoting... possible?
Re: How to - PKCS#7 in c# ConnectionStrings encryption Questions about RijndaelManaged and Rijndael How to grant and deny the access to a virtual directory? How to: check for firewall blocking? CheckSignature & Revocation Server Restrict access to application from "outside" problem running application DPAPI based How to - PKCS#7 in c# |
|||||||||||||||||||||||
