On Windows 10 Enterprise laptops I found the AppIDSvc was stopped and its Startup Type was set to Manual (Trigger start). When I attempted to change the Startup Type to Automatic via the GUI, it produced the error "Access is denied" even though services.msc from run from an elevated cmd prompt.
The only way to work around this was to edit the registry and changing Start=2 at HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc.
I was able to start the service manually. Also I have modified the registry permission to "Full Control". I tried to reinstall Windows from ISO but the problem persists. Unfortunately Microsoft doesn't reply to this problem clearly on MSDN and Support Forum.
Microsoft docs say:
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic.
They provide a way to start with GPO, although I don't have such setting as they are referring to.
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-the-application-identity-service
Related
I would like to get some help, I'm getting this error when trying to start a windows service and it's driving me crazy. The details are:
I've got a Windows Service developed on VB.NET (VS 2012), it's compiled for a x86 machine.
I used InstallUtil and the "SC CREATE" command to install the service on the customer's server (running under Windows Server 2003).
When I try to start the service, I get the following error message: "Could not start the service on Local Computer. Error 193: 0xc1"
I looked the Event Viewer for some clues, but I couldn't find any very useful info: in the "Application" tab there are no records logged by the service so I assume it's not even running a single line of code. In the "System" tab there are records logged by the Service Control Manager with the following error message: "%1 is not a valid Win32 application."
I did a long research on the web and the only solution provided is checking Windows Registry to find the ImagePath for the service and add some quotes at the beginning and end of the path. This is supposed to solve the problem but it's not working in my case. I have modified several times the ImagePath (I added and removed the quotes, tried with double a triple quotes) but I'm not getting any positive results.
Could someone help me with this? Thanks in advance...
I think that there is a combatibility problem with .net framework that you use and windows server 2003.Do you use .net 4.5?
Windows server 2003 can't run applications which target net framework 4.5.
http://www.microsoft.com/visualstudio/eng/products/compatibility
So you could change your target framework to 4.0.
My problem was due to having my service project configured as a Class Library and not Windows Application in the Application pane of the project properties.
Same original issue but Win Server 2019, also not resolved with quoting the registry ImagePath. However, was resolved by using a NTFS symbolic link for the folder parts of the path.
E.g. instead of the ImagePath registry entry for the Service being:
D:\My Folder\My File.thing
Create a Windows symlink at an elevated-permission Cmd prompt:
d:>mklink /D "myfold~1" "My Folder"
Then use the symlink in the registry ImagePath
D:\myfold~1\My File.thing
We have code that adds Debugger.Launch() and Debugger.Break() on certain condition, and this functionality doesn't seem to work in Windows 8 / Windows Server 2012
In previous versions of Windows this worked just fine, launching a window that would show the Visual Studio Debug dialog.
Is this a new breaking change in Windows8/Windows Server 2012?
There is an open ticket with microsoft connect that contains a temporary workaround for this issue.
Just-In-Time debugging, operation attempted is not supported
From comment below:
Just change HKCR\AppID\{E62A7A31-6025-408E-87F6-81AEB0DC9347}\AppIDFlag from 0x28 to 0x8.
This is indeed a change in Windows 8. I couldn't find any public documentation yet (albeit Win8 hasn't yet shipped to customers). However, I'll ask someone on the relevant team to make this information available on MSDN as appropriate.
This is part of Session 0 isolation work that started in Windows Vista.
To go back to Win7/2008R2 settings you need to do the following:
For the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows, set the "NoInteractiveServices" value to 0, which is (in Windows 8) defaulted to 1. This allows you to manually start the service that facilitates the visual dialog to you in your session, "Interactive Services Detection" (ui0detect). Without setting this key, the ui0detect service will fail to start with an error such as "Function not supported".
net start ui0detect
Of course, you can choose to make this service start automatically with Windows and always boot into being able to debug Session 0 Processes.
I'm having a lot of problems trying to start an application as administrator on an application I'm writing when running it on XP Embedded.
The application runs as the shell for a limited user account and is touch-screen and keyboard-less with one user command being to run the touch screen vendor's calibration tool. This must be run as administrator.
No problem I thought, add user and password information to the ProcessStartInfo and all should be fine. No. The error I get is:
System.ComponentMode.Win32Exception: The specified service does not exist as an installed service.
From some investigation, I've found that:
My Process starting code is correct:
any application can be started successfully on XP Embedded when run as the limited user
any application can be run as Administrator on my own laptop
on XP Embedded, any application is regarded as being a service in the same way, including notepad
if I attempt to start a program from within process explorer, I simply get "Unable to execute process: Access is Denied"
I'm not an XP Embedded expert in anyways so I'd very much appreciate some help. I suspect that there's a configuration setting that has been set when building the XP image that specifically denies access to process creation and that the errors I'm being reported are actually mis-reports from software that's not assuming XP Embedded error codes.
Unfortunately, the people who make the base image aren't around right now so I can't get the current settings.
Thanks in advance if anyone's ever seen this before!
Kev
For the record, it turned out that the "Secondary Logon" service wasn't installed in the image.
The code I had reached down eventually into either CreateProcessWithLogonW or CreateProcessAsUser which ultimately depend on this service running. The "specified service" error was spot on, but not about what I thought it was about. No idea why I got that particular error from Process Explorer.
This is the error that is thrown by our automated build suite on Windows 2008, while running ICEs (after migrating from WiX 2.0 to WiX 3.0):
LGHT0217: Error executing ICE action 'ICE01'. The most common cause of this kind of ICE failure is an incorrectly registered scripting engine. See http://wix.sourceforge.net/faq.html#Error217 for details and how to solve this problem. The following string format was not expected by the external UI message logger: "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.". in light.exe(0, 0)
The FAQ is now deleted, however, the text from it said:
In WiX v3, Light automatically runs validation-- Windows Installer Internal Consistency Evaluators (ICEs) --after every successful build. Validation is a great way to catch common authoring errors that can lead to service problems, which is why it’s now run by default. Unfortunately, there’s a common issue that occurs on Windows Vista and Windows Server 2008 that can cause ICEs to fail. For details on the cause and how to fix it, see Heath Stewart's Blog and Aaron Stebner's WebLog.
Additionally, these are the errors that show up in the event log:
MSIInstaller: Failed to connect to server. Error: 0x80070005
Product: [ProductName] -- Error 1719. The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
Intuitively:
VBScript and JScript were registered under admin.
Integration service has permissions for the desktop interaction and all the files
Builds succeed, when executed manually on the same machine by another user or even user logged in as integration account (via RDP)
I'm out of ideas so far.
How do I solve this problem while keeping ICE validation?
End of the story:
After fiddling with the permissions of the integration account, DCOM, service activation, etc. without any luck, I finally simply disabled ICE validation in the continuous integration build, while still keeping it in the local build.
To disable ICE validation you can set SuppressValidation to true in the .wixproj file:
<PropertyGroup>
<SuppressValidation>true</SuppressValidation>
</PropertyGroup>
Or pass the -sval command line option to light.exe.
Adding the TFS build controller account to local admin group and restarting the windows service did the job for me.
I found the root cause. I tried everything I found, including custom validator extension similar to one posted in Re: [WiX-users] light.exe failed randomly when running ICEs..
It's not a concurrency issue as suggested in various threads. It's caused by a too large Process Environment Block (PEB).
It turns out Windows Installer can’t handle a process environment block larger than 32 kB. In my environment, due to number of variables set by the build system and their size (for example, PATH variable containing multiple duplicated values), PEB was about 34 kB.
Interestingly, per Environment Variables, Windows XP and 2003 had a hard limit of PEB set to 32 kilobytes. That would probably cause an easy-to-catch build break in an earlier phase of the build. Newer Windows' doesn’t have such limit, but I guess that Windows Installer developers limited their internal environment buffers to 32 kB and fail gracefully when the value is exceeded.
The problem can be easily reproduced:
Create a .bat file which sets environment variables which size exceeds 32 kB. For example, it can be 32 lines of set Variable<number>=<text longer than 1024 characters>
Launch cmd.exe
Execute the batch file you created
From the same cmd.exe window:
Try building the MSI package using WiX with ICE validation on OR
Run smoke.exe to validate your package OR
Simply run msiexec /i Package.msi
All the above commands will end up reporting Error 1719 - Windows Installer could not be accessed.
So, the solution is - review your build scripts and reduce number and size of environment variables so they all fit into 32 kB. You can easily verify the results by running:
set > environment.txt
The goal is to get file environment.txt smaller than ~30 kB.
The correct description (without a solution, except if adding the CruiseControl account into local administrators group can pass as a solution) of the problem:
Quote from Wix 3.5 & Cruise Control gives errorLGHT0217:
ICE validation needs an interactive account or administrator privileges to be
happy. See for example WiX Projects vs. TFS 2010 Team Build (2009-11-14) or Re: [WiX-users] Help with building patch (2009-11-20).
imagi is totally right! I could not believe this is the true answer. Supressing validation and making TFS user Administrator are not good solutions. Plus I could not find NT\Authority to add it to Administrators group and was totally stuck in this.
I got the same error on Windows Server 2012 Datacenter as Build Agent.
To solve the problem :
List item
Go to Environment Variables on the build agent machine
Create two System Variables
"PF86" which is equal to "C:\Program Files (x86)"
"PF" which is equal to "C:\Program Files"
They are so short because I want to save characters.I made them without the final backslash because TEMP, TMP and others were made so and I decided to stick to MS standard for these variables.
Edit PATH variable by substituting every "C:\Program Files (x86)" with %PF86% and every "C:\Program Files" with %PF%
Close and build and enjoy!
It worked for me. :)
UPDATE
I found a better solution : Rapid Environment Editor will do all this and even more for you. Automatically.
I faced the same problem and did not like to suppress ICE validation. My setup: I used my own computer as a build agent on Visual Studio Online (VSO). My solution was to change the account used to run the service on my machine. Instead of using Network Service or Local Service I simply made the service log on with my own account which had all the necessary rights.
From http://wix.sourceforge.net/faq.html#Error217:
In WiX v3, Light automatically runs validation--
Windows Installer Internal Consistency Evaluators (ICEs)
--after every successful build. Validation is a
great way to catch common authoring errors that can lead to service problems,
which is why it’s now run by default. Unfortunately, there’s a common issue
that occurs on Windows Vista and Windows Server 2008 that can cause ICEs to
fail. For details on the cause and how to fix it, see
Heath Stewart's Blog
and
Aaron Stebner's WebLog.
I was getting same ICE error, but the problem turned to be corrupted Windows Installer Service.
This solution worked for me:
http://support.microsoft.com/kb/315353
Log on to your computer as an administrator.
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type msiexec.exe /unregister, and then press ENTER.
Type msiexec /regserver, and then press ENTER.
Restart Windows
Also, verify that the SYSTEM account has full control access permissions to the
HKEY_CLASSES_ROOT hive in the Windows registry. In some cases, you may also have to add Administrator accounts.
I have some suggestions.
Try updating the Microsoft Installer version on the build server
Make sure you use the newest release of WiX 3.0, since it's 3.0 release stable now.
If all else fails, try running the build service under a specific build user who you can fiddle with permissions for...
I got this error from my Azure build agent running on-premises.
My solution was to upgrade its user account from "Network Service" to "Local system account".
Go to your build machine and restart the Windows Installer service
None of the above suggestions worked for me, for me the anti-virus (mcafee) came into the picture and looks like it updated the vbscript.dll registry entry to a wrong DLL location. These are the things to keep in mind:
Some of the WiX ICE validations are implemented using VBSCRIPT.
So while compiling the MSI, the build server would need access to the c:\windows\system32\vbscript.dll.
Chances are that somehow the user that runs your build lost access to this DLL.
As mentioned in the above answers do look for the admin access/registry access and make sure your user has it.
Here are the steps that I took to fix the issue:
Open cmd (run as admin) on the build agent machine.
Run RegEdit
Select the root, then click ctrl + f and Search for the following registry entry : {B54F3741-5B07-11cf-A4B0-00AA004A55E8}
Look for the InprocServer32\Default Key
On my build agent, the path was replaced with a mcafee DLL location. I updated the path back to c:\windows\system32\vbscript.dll
Editing the registry entry was not easy, as it was a protected registry entry. I used the below link to get access permissions changed before I could edit the property: Edit protected registry entry
Once I updated the path, everything started working as usual.
My solution is similar to Vladimir's one. My CI user was admin of the computer.
But the following steps were mandatory to allow my jenkins build to succeed:
log in as CI user using rdp
open a dos command prompt
execute: %windir%\system32\msiexec.exe /unregister
execute: %windir%\system32\msiexec.exe /regserver
then i got a successfull job
A colleague has a batch script program which needs to to run on a Windows Server in console mode, so that it has access to a Windows interactive session. The server is rebooted at regular intervals automatically (there's an unrelated closed-source application that runs on this machine that we have no control over). After a reboot he wants to automatically start a Windows interactive session and have this script run, plus the service needs to also have access to network resources (CIFS drives, in particular).
Here's what we've tried so far:
Start as Windows service. This failed, since a Windows service can either have access to interactive session or to network resources, but never both.
Used Microsoft management console to add the script to run at startup, however this did not work.
Used an HKLM registry key to start to run this script, however it only gets started when we manually open a remote desktop session on the server.
Creating a scheduled task. The program invoked did not have access to interactive windows session.
Any other suggestions? (Or maybe he missed something when he set up one of these suggestions?)
In case "Interact with desktop" on the service is not enough (I have seen a handful of cases where it is not), you can combine it with AutoAdminLogon. Create three (or four for a domain) REG_SZ values under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon:
DefaultUsername
DefaultPassword
DefaultDomain
AutoAdminLogon
AutoAdminLogon should be set to the string "1", the others are self-explanatory.
Obviously this has security issues big enough to fly Jupiter through.
Have you tried having your script run as a Windows service, but allowing it to interact with the desktop?
Specifically:
Go to the service properties page
Click on the "Log On" tab
Select "Local System account"
Check "Allow service to interact with desktop"
See my similar question and real answer to it: How to start a process from windows service into currently logged in user's session
NOTE: "Interact with desktop" checkbox is not enough at all.
I recommend going about this another way. You could build another Windows app that communicates via IPC to the Windows Service and that could be what deals with the closed souorce application. But if you must, you can specify an option in the service (you can do this through MMC, registry, etc). Basically, you can see this option by going to Computer Management->Services and Applications->Services->Right click your service->Change account to Local System and check "Allow system to interact with desktop."
However, again, I recommend choosing another path.
I had to do something similar recently; a route that I found but discarded due to security concerns is to have the interactive service set self as running in interactive mode and then run the ImpersonateUser function in the win32 API, which I think will provide the benefits of both a user and the interactive session available from the LocalSystem.
Needless to say, if someone broke into a service that did that, they would have total control of the machine.