No permission to access a private MSMQ - vb6

On an XP machine there is a private messagequeue that was created by a .net service.
When I want to access this private queue in a VB6 application I keep getting an "Access is denied" error.
So it seems this is a security issue, only I don't understand why even when I am logged on as an administrator I still
can't have access to queue that was created on the same machine.
Is there something else I have to take into account.
Sample on how I use the queue in VB6
Public msgQueue As MSMQQueue
Private Sub OpenQueue()
Dim MQ As New MSMQQueueInfo
MQ .PathName = ".\Private$\incommingQueue"
Set msgQueue = MQ.Open(MQ_RECEIVE_ACCESS, MQ_DENY_NONE)
End Sub

This can happen if the .NET Service removed the "Everyone" group from the permissions the private queue. Here are some steps you can take to resolve this:
Stop the MSMQ Service
Open the folder C:\WINDOWS\system32\msmq\storage\lqs
Find the file in this folder that describes your queue -- (incommingQueue)
Using notepad, open the lqs file for some other private queue that has good security permissions. (If you don't have any other private queues create one)
Locate the line in the file that begins Security=....
Copy the whole line to your clipboard (watch out for Word Wrap, this line will be quite long)
Open the lqs file for your problem queue in your text editor
Overwrite the Security=... line in this file with the contents of your clipboard
Save the modified lqs file
Start the MSMQ service
You should find that the problem queue now has the same permissions as the queue whose security settings you copied at step 6 above.

The solution posted here seems a bit of a hack. Perhaps this is necessary for Windows XP. I've encountered something similar using Windows 7 and used a different approach to solve this.
Situation:
Program consists of C# code that creates a private transactional queue
Program is run as a windows service, running on the Local System account.
When the service is run, the private queue is created with the Local System account as the owner.
Even though I am administrator, I can't inspect the messages from the queue.
Solution (this is for Windows 7):
Run compmgmt.msc
Open 'Services and Applications'
Open 'Message Queues'
Open 'Private Queues'
Right-click the newly created queue
Click 'Properties'
Select the 'Security' tab
Click 'Advanced'
Select the 'Owner' tab
Select 'Administrator'
Select 'Permissions' tab
Click 'Add'
Type in the name of you account (e.g. 'Administrator')
Click 'Check names'
Click 'OK'
Click 'OK'
Click 'OK'
Now you can access the messages in the queue and also purge the queue if you would like to.

Related

Trace failed login attempts Windows Server

We have noticed ~15k failed login attempts a day on one of our admin-accounts in the domain.
The source server is found and the event type is "Network", the source is a DC that has not been touched (except WinUpd) for years so a virus seems unlikely but of course possible.
Is there a way to trace exactly what the failed attempts point at? We have recently changed FSMO roles between two other DCs in the domain, maybe that has something to do with it?
You can check the login failed attemps based in audit logon events local computer policy.
use the keyboard shortcut Windows Key + R and type:gpedit.msc in the Run line and hit Enter.
In Group Policy Editor, navigate to Windows Settings >> Security Settings >> Local Policy >> Audit Policy.
Then double click on Audit Logon Events.
From there, check the boxes to audit failed audit attempts and click OK.
There you go! Now you’ll be able to see the complete logon activities (failed l) for your Windows computer.
Please refer this one as well based on event id you can know exactly what the failed attempts point at. : https://social.technet.microsoft.com/Forums/en-US/f49cd4d6-a7d5-4213-8482-72d1d5306dab/windows-server-2012-r2-help-finding-failed-logon-attempts-source?forum=winserversecurity
Reference: https://www.groovypost.com/howto/pin-windows-8-start-screen-programs-desktop/

Schedule a task to monitor a certain process start

I'm trying to tie two applications together, so that when one is started the other starts too.
I expected to find this in Task Scheduler under Events > Application or something like that, but only some applications have event sources there.
So I researched and found that you can detect a process start by registering a WMI event.
Register-WMIEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 3 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'" -sourceIdentifier 'NotepadStarted' -action {if(!(ps AutoHotKey)) { start Automator.ahk}}
However this is meant to run all the time, which means a powershell.exe process in the background, and WMI polling every 3 seconds (WITHIN 3 - yes I do need it to respond ASAP). The PC is powerful enough for this job as is, but if in the future I want to watch more than one app, this approach may turn out to use too much resources.
Is there a better way of watching for a process start on Windows? Without polling or running a script continually in the background, but rather simply scheduling a task to respond to the event of Notepad having started?
I have found a way through Auditing, which seems to work alright.
We're trying to get the process to raise an event when it starts, then in Task Scheduler to home in on that event as the trigger for our action.
UPDATE: Conjoined Twins - IFTTT-style application actions using auditing and scheduled tasks under Windows. It's a Powershell script that helps you set this up.
LATER EDIT: OK it does produce a few false positives. The action may fire without the program having actually been executed. So beware.
Go to your application.exe, right click > Properties > Security tab > Advances > Auditing tab > Edit
Add your username and tick Traverse folder / execute file. Click all of the OKs. Every successful execution of application.exe will now show up in Event Viewer. Go there to check them out:
Event Viewer > Windows Logs > Security
You can Filter current log for EventID 4663
Here is an event like that from my machine:
An attempt was made to access an object.
Subject:
Security ID: PC\Redacted
Account Name: Redacted
Account Domain: PC
Logon ID: 0xxxxxxx
Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\Some Application\application.exe
Handle ID: 0x1e1c
Process Information:
Process ID: 0x374
Process Name: C:\Windows\explorer.exe
Access Request Information:
Accesses: Execute/Traverse
Access Mask: 0x20
You'll see more than one of these, it's not just one-to-one, 1 program start = 1 event. There are A handle was open, A handle was closed events as well.
In Task Scheduler you have to now create an event to target the program start.
Create New Task > Triggers Tab > New
Select Begin task: On an event from the drop-down.
Click the Custom radio button then Edit Event Filter... button
In the XML tab tick Edit query manually and paste something like this in:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[#Name='ObjectName'] and (Data='C:\Program Files\Some Application\application.exe')]]
</Select>
</Query>
</QueryList>
¹
Pictures and more details at Quick Development Tips: How to monitor a folder and trigger an action for incoming files, in Windows 7
Once this is done, all that's left is to set up your Action, the program you want to run when application.exe starts. For me it was an AutoHotKey script - I just clicked Browse and navigated to it.
Now when I start the app I get that AutoHotKey script automating some initial steps. It wouldn't have worked to just create a batch file with application.exe & script.ahk in it, because sometimes the app starts from opening a file, sometimes it's started by something else, or who knows. This way no matter how it starts, script.ahk happens.
¹ Side note: Here's a catch. This XPath query works for Data='C:\no\wildcards\allowed.exe' but you'll be disappointed to find that you can't use wildcards or any other kind of matching. So if you want to select a file that doesn't move or change name, that's fine. But if you want to select a newly created file of unknown name inside a folder you're watching - you can't. At most you can do Data='variant1' OR Data='variant2'...
Keep in mind that using the task scheduler for this requires enabling auditing of ALL! processes on an OS-level. That can create quite a high load.
For monitoring a single process I would recommend creating a "permanent WMI event trigger". Details see here: https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/
As a "consumer" you need to create a small VBscript as an "ActiveScriptEventConsumer" that starts the other process.

Can not connect to IBM content navigator web administration

When I tried to connect to the navigator web administration, I receive a message "The desktop can not be opened" and It require defining a desktop ID.
http://imgur.com/JNKelPy
How to fix this problem or define a desktop ID?
I can't remember if after an installation default desktop is admin or if you have to set it manually. Is your URL with ?desktop=admin at the end working (https://ecm.filenet.com:9443/navigator/?desktop=admin)? If it does, create a desktop and set it as default. If it doesn't, you should take a look at the WAS log (SystemOut.log) to see what the error is.
After successful deployment of IBM Content Navigator, the admin desktop is automatically created. It is considered the default desktop until another is created with a valid repository. If you have issues, you should put in the full admin console address:
http://www.ICNADDRESS.com:9080/navigator/?desktop=admin
The desktop selection code at the end (?desktop=) can be used to specifically go to any desktop in the configuration, but the code treats the admin console address shown above as "special" for authentication and processes it slightly differently. I've had normal desktop configurations (especially after upgrades from 2.0.1 & 2.0.2) have issues for administrative users.
IBM Content Navigator uses DB tables for it's configuration data. You can find the desktop related info in a table named CONFIGMGMT including admin desktop.
There are server possibilities for the error that you are getting
CONFIGMGMT table has corrupted data regarding admin desktop.
CONFIGMGMT table has been deleted.
The DB table is accessed by Content Navigator via data source created in your application server and the connection to the underlying database is not made due to authentication issues(very common due to password change policies).

Network address inaccessible if ran by the Task Scheduler

I have a C# program that does this:
Directory.Exists(#"\\PcName\SomeDir");
and prints whether that path is accessible (exists) or not.
This is the problem: I run this app via the Task Scheduler right after log-in (auto-log-in user), using the "On Login" trigger, and it returns false, although that path IS accessible! (I manage to open that path using the explorer.exe few seconds before my app starts). It is marked to:
Run with highest privileges
If I run it manually it runs OK, even when I right click the task and select "Run" via the Task Scheduler!
If I deselect "Run with highest privileges", there is no problem, but it must be ran with highest privileges (accesses registry and whole lot other stuff)
It runs under same user if I run it manually or automatically by the task scheduler - I made sure using Process Explorer
It happens on certain machines (Win8x64, admin-privileges-user with no password, auto-log-in, workgroup machines, not domain), but not on anothers (same: Win8x64, admin-privileges-user with no password, auto-log-in, workgroup machines, not domain).
Even if I insert Thread.Sleep(TimeSpan.FromMinutes(1)); or enter 1-min delay in the task (in the Task Scheduler) it still says this path does not exist
Problem solved. I had to "impersonate", although I’m not really sure why: if I use the scheduler without restarting, it accesses the remote share – exactly the same settings, one to one. Only after restart it fails to access the share (and a moment later, again – same settings, it is able to access).
The only difference in running it immediately after restart is that the app-process’s parent is services.exe and not explorer.exe as usual. My guess is that it has to log in immediately after the restart, so it must use services.exe (explorer.exe is not supposed to exist at that stage, if I'm not mistaken).
Below is the solution in C#, roughly, to whom it may concern:
// LogonUser is a "P/Invoked" API:
// http://www.pinvoke.net/default.aspx/advapi32/LogonUser.html
// this solution works only with the LOGON32_LOGON_NEW_CREDENTIALS as the 4th parameter:
using (var h = LogonUser(username, domain, password,
LogonType.LOGON32_LOGON_NEW_CREDENTIALS,
LogonProvider.LOGON32_PROVIDER_DEFAULT))
{
using (var winImperson8Ctx = WindowsIdentity.Impersonate(h.DangerousGetHandle())) {
return Directory.Exists(path); // now works fine...
}
}

Can't connect to JMS using restricted user via GEMS

I have user (not administrator) access to some external JMS.
I'm failing to view queue while trying to use GEMS.
My guess this is because GEMS is admin console for JMS but user I have don't have any administrator permissions.
I've made a try to create user without admin permissions on my local Tibco and I fail to connect to JMS using very user in GEMS.
How could I view any JMS with resricted user? Is GEMS able to do that? If not what tools could be used?
Thanks.
There is Hermes tool suitable for this.
It was relly hard to get Hermes working with Tibco EMS. Here is good tutorial how to configure Hermes.
HermesJMS provides a GUI to access JMS queues and topics for common tasks such as sending messages, removing messages and copying messages between queues and topics. It’s one of some “must have” tools for EMS admins and application support team.
Get the latest installer from SourceForge: http://sourceforge.net/projects/hermesjms/files/ then run it:
java -jar hermes-installer.jar
Installation is very simple, just few screens: release notes, license agreement, installation path, components (here is only one actually), summary, files copying, shortcuts creation and installation finish.
To start HermesJMS run hermes.bat in your \HermesJMS\bin. If you got error message “cannot find \bin\javaw”, make sure that you have JAVA_HOME system variable defined to your jre folder.
When Hermes started successfully, click on “Create new JMS session” button, preferences window will appear, select providers tab and right-clik on free space. Then press “Add Group” and enter group name. Right-click on “Library” and press “Add JAR(s)”. Look in \ems\5.1\lib folder and select all .jar files there. Click “Open”, then let Hermes to scan jars for factories: press “Scan” button. Then press “Apply”. All libraries will be in the list like on my screenshot.
Go to “Sessions” tab and enter name for session: “My EMS” for example, then select “EMS” loader. Next step is select “com.tibco.tibjms. TibjmsConnectionFactory” class and “Tibco EMS” plugin. Order is very important: select loader, then class, then plugin. Right-click on free space in plugin section and press “Add property”. You have to enter all three properties: username, password and serverURL, do the same for Connection Factory, then press “OK” to save and close properties window.
Now we can connect Hermes to our EMS. Let it discover queues and topics, press “Discover queues and topics from the provider” button. Then confirm replacement of the current set of destinations and list will be updated. That’s all.

Resources