Why does a domain account need to be added to Debugger Users?

[Guest]

I have been struggling to install a set of .NET services on Windows 2003 (that have been working without any problems on a Win 2000 box.) The services and scheduled jobs run as a low-privilege domain account to control database access and permissions.

Now I have been able to track down the failures to this scenario. When I open up a CMD prompt using runas to use the credentials of the domain account, and try to execute my ordinary .NET executable

MyDotNetExe.exe /foo=blah /bleek=glor

I get a window popping informing me that "JIT debugging failed with the following error: Access is denied." Running this command as me (an administrator) works. When I add the domain account to Debugger Users the "Access Denied" error goes away (...now I get another error - see below.

Now I know that to debug web projects in VS.NET you might need to add the local ASPNET account to Debugger Users, but I can't see why running an ordinary Release build exe makes .NET think the account needs debugging privileges. Or does something need to get configured differently on Windows 2003 Server

The next error I get is this
Unhandled Exception: System.Security.SecurityException: Requested registry access is not allowed
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable
at System.Diagnostics.EventLog.CreateEventSource(String source, String logName, String machineName, Boolean useMutex
at System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type
at MyAssembly.MyNameSpace.MyDotNetExe.Main(String[] args

Why would writing to the event log fail? What registry key is it trying to look up? I could add the domain account to the administrators group, but this kinda defeats the purpose of using a low-privilege domain account, doesn't it?

 

[mikeb]

I have been struggling to install a set of .NET services on Windows 2003 (that have been working without any problems on a Win 2000 box.) The services and scheduled jobs run as a low-privilege domain account to control database access and permissions.

Now I have been able to track down the failures to this scenario. When I open up a CMD prompt using runas to use the credentials of the domain account, and try to execute my ordinary .NET executable:

MyDotNetExe.exe /foo=blah /bleek=glorb

I get a window popping informing me that "JIT debugging failed with the following error: Access is denied." Running this command as me (an administrator) works. When I add the domain account to Debugger Users the "Access Denied" error goes away (...now I get another error - see below.)

Now I know that to debug web projects in VS.NET you might need to add the local ASPNET account to Debugger Users, but I can't see why running an ordinary Release build exe makes .NET think the account needs debugging privileges. Or does something need to get configured differently on Windows 2003 Server?

The next error I get is this:
Unhandled Exception: System.Security.SecurityException: Requested registry access is not allowed.
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at System.Diagnostics.EventLog.CreateEventSource(String source, String logName, String machineName, Boolean useMutex)
at System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category)
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID)
at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type)
at MyAssembly.MyNameSpace.MyDotNetExe.Main(String[] args)

Why would writing to the event log fail? What registry key is it trying to look up? I could add the domain account to the administrators group, but this kinda defeats the purpose of using a low-privilege domain account, doesn't it?

If your event log source is not already configured in the registry,
WriteEntry() will try to create it. BY default, you need to be an
administrator to create this entry. That's why writing to the event log
is throwing an exception.

Now, since the exception is not caught, and there's a JIT debugger
configured on the machine, the system will try to start up the debugger
because of the exception. Since the user running the process doesn't
have debug privileges, you get your "JIT debugging failed..." message box.

The fix for your problem is to have the event log source configured when
you install the web application. Unfortunately, this means that 'xcopy
deployment' won't work in your case.

 

[Guest]

Thanks Mike - that makes sense. However I have run the exe from the command line with administrator privileges, and the exe runs fine. Wouldn't this suggest that the event log source has been registered at this point

Why does the exception re-occur after this has happened?

 

[Jeffrey Tan[MSFT]]

Hi munter,

Thanks for your feedback.

Is your application Web Servie or others type?

What exactly does your application do? Can you show us some code snippet to
reproduce your problem?

Normally, for regiestry, its certain registry key's permission set is
determined for every user account, you can use RegEdit.exe to open it, and
select certain node, then right click to choose "Permissions.." to config
certain registry node's permission.

For Eventlog, its security and permission for user account is documented in
MSDN, please refer to:
"Event Logging Security"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/
event_logging_security.asp

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Guest]

In this case, the exe being called is simply a means to call another DLL, a .NET assembly which in turn runs code that updates a database, sends emails via CDOSYS, performs logging and so on. The executable just calls a public function exposed by the DLL. The executable is being executed as a scheduled job using our own task scheduler

When I call the executable with Admin privileges, the full code runs fine. When the same code is run using the credentials of the domain account it fails. (I can add this account to Users or Power Users on the server, it still fails.) Only when I add the domain account to the Administrators group does the code succeed. This same code works fine on a Windows 2000 server, without the domain account having to be added to any local groups (domain accounts are already in the User group).

When the DLL loads up it has to read a registry to find the location of a config file. The executable only writes to the event log if an unhandled exception is thrown from the DLL. There is no other requirements for this code to write to the event log (it is not running as a service, for instance.

Does Windows 2003 have tighter security policies than Windows 2000?

I am also having problems with the use of the registry to store the username, password for impersonation for the web-site I have installed (using aspnet_setreg). If I store the user-name and password in the web.config file, it works fine. Using aspnet_setreg returns an error. The same aspnet_setreg command and web.config entry work fine on Windows 2000. I am using dotnet framework 1.1 on both machines

 

[mikeb]

Thanks Mike - that makes sense. However I have run the exe from the command line with administrator privileges, and the exe runs fine. Wouldn't this suggest that the event log source has been registered at this point?

That seems a reasonable expectation. I don't have time to test this
right now (maybe over the weekend).

In the meantime, I'd take a look at the permissions assigned to the

HKLM\System\CurrentControlSet\Services\EventLog\Application

registry key, and see if they are set in such a way that your ASPNET
account (or is it the IUSR_ComputerName account?) has permission to read
the key and it's subkeys.

You might want to add read permissions to the Everyone group for testing
this, then if it works narrow down the permission to see exactly what
the issue is.

 

[Tian Min Huang]

Hi,

Based on my experience, your domain account may not have permissions to run
debug tools on Windows 2003. There are two places to check:

1. Make sure your Machine Policies allow your userid to debug
"Administrative Tools" -> "Local Security Settings" -> "Local Policies"
-> "Users
Rights Assignments" -> "Debug Programs"

2. Make sure your user id is added to the Group "Debugger Users"
"Administrative Tools" -> "Computer Management" -> "Local Users And
Groups" -> Groups

Hope this helps.

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Jeffrey Tan[MSFT]]

Hi munter,

Does my colleague Tim's reply make sense to you? Do you still have concern
on this issue?

Please feel free to feedback. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.