Ask a question

Search Forums:

• Search Security Forum
• Search All Windows Server Forums
• Search All Microsoft TechNet Forums

 

Error accessing C:\Windows\system32\cluster.exe or whoami.exe from Service running as Local Service or Administrator

• Friday, August 28, 2009 3:06 PMDaniel from Cologne

   
  

  0

  Sign In to Vote
  Dear all,
  I've got a strange behaviour with Windows Server 2008 (Core Enterprise, English, SP2 and Enterprise (nonCore), German, SP2).
  
  I've Installed an BBWin Monitorring-Client which is running fine as "Local System". There's the possibility to ad external scripts for additional monitorring tasks, so I created a vbs-script which calls "cluster.exe /Cluster:localhost group > C:\Windows\Temp\Cluster.txt" and than checked some things, doesn't matter.
  The script is working fine if I'm logged on localy as Administrator or as Local System (processed via sysinternals psexec -i -s cmd).
  If the script is added to the monitorring service, the script doesn't find the cluster.exe anymore. If I replace in the command "cluster.exe /Cluster:localhost group" with "ipconfig /all" the script will work correctly. If I use whoami, the script will fail with the same error.
  After that, I tried to run as an Domain Admin with the same result.
  
  Now, I created a command-file: cluster.cmd with following code:
  
  @ECHO OFF
  copy /Y C:\Windows\system32\cluster2.exe C:\Windows\Temp\cluster2.exe > C:\Windows\Temp\Cluster.txt 2>&1
  Cluster.exe /Cluster:localhost group >> C:\Windows\Temp\Cluster.txt 2>&1
  dir C:\Windows\system32\Cl*.exe >> C:\Windows\Temp\Cluster.txt 2>&1
  dir C:\Windows\system32\wh*.exe >> C:\Windows\Temp\Cluster.txt 2>&1
  whoami >> C:\Windows\Temp\Cluster.txt 2>&1
  
  I run this command-file as Admin or Local-System logged on locally with success, If I try to run that as service, the output is as following:
  
  The system cannot find the file specified.
  'Cluster.exe' is not recognized as an internal or external command,
  operable program or batch file.
   Volume in drive C has no label.
   Volume Serial Number is ######
  
   Directory of C:\Windows\system32
  
  11/02/2006  11:44 AM            40,960 cliconfg.exe
                 1 File(s)         40,960 bytes
                 0 Dir(s)  44,643,213,312 bytes free
   Volume in drive C has no label.
   Volume Serial Number is ######
  
   Directory of C:\Windows\system32
  
  11/02/2006  11:45 AM            36,352 where.exe
                 1 File(s)         36,352 bytes
                 0 Dir(s)  44,643,213,312 bytes free
  'whoami' is not recognized as an internal or external command,
  operable program or batch file.
  
  You can see, the user didn't find the cluster.exe or whoami.exe as Local System or Administrator running as Service.
  
  I tried these things with no success:
  - apply "Allow Service to interact with desktop"
  - grant everyone FullAccess to Cluster.exe
  - grant Service following Privileges:
  SeBackupPrivilege
  SeRestorePrivilege
  SeIncreaseQuotaPrivilege
  SeIncreaseBasePriorityPrivilege
  SeTcbPrivilege
  SeDebugPrivilege
  SeSecurityPrivilege
  SeAuditPrivilege
  SeImpersonatePrivilege
  SeChangeNotifyPrivilege
  SeIncreaseWorkingSetPrivilege
  SeManageVolumePrivilege
  - Set service-sid-type from none to unrestricted (sc sidtype BBWin UNRESTRICTED)
  - grant service SID FullAccess to cluster.exe (sc showsid BBWin, than get SID and icacls cluster.exe /grant *SID:F)
  
  After that I compared the SDDL for the files cluster.exe (which is not found) and ipconfig.exe (which can be found and accessed), and it's still the same.
  
  As I already described before, logged on locally all the things worked as "Local System", but not running as Service.
  
  I think it's something like a security-feature, but I didn't know how to get this work.
  
  Please help... THX
  
  With best regards
  
  Daniel
  • Reply
  • Quote