none
security policy block my Windows service from executing a process RRS feed

  • Question

  • Hi all,

    My Windows Service C# code is executing a python.exe with some code.

    When I execute the python manually (CMD: python.exe ...args..) everything works fine.

    When I execute python from Windows Service as child process it will not execute, I use C# Process.Start(), i tried with UseShellExecute false and true, both return false from Process.Start().

    There is no anti virus on the machine, What GPO or local security policy can prevent a Windows Service from executing an .exe as child process ?

    Thanks

    Thursday, February 7, 2019 5:54 PM

Answers

  • Hi All, Thank you very much for the help, All the suggest policies that were offered here - were empty.

    BUT

    the field that we did change was:

    Under “secpol.msc”

    Computer Configuration à Windows Settings à Security Settings à Local Policies à User Rights Assignment à Select “Create a token object” and add “Local Service” and “Administrators”

    This has solved our problem

    • Marked as answer by ilan.sch Friday, February 15, 2019 9:14 PM
    • Edited by ilan.sch Friday, February 15, 2019 9:15 PM
    Friday, February 15, 2019 9:14 PM

All replies

  • Is it possible through your C# code to generate a more detailed error message? It will help us to assist.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, February 7, 2019 11:11 PM
  • no it is not, process.start return false, no exception is thrown

    Call GetLastError() or Marshal.GetLastWin32Error() returned 0.
    There was nothing in Event Viewer (Application, System, Security)

    procmon was opened, i have the session saved.

    this is pure secpol issue, the only question is what secpol / gpo set cause this issue ?


    • Edited by ilan.sch Friday, February 8, 2019 1:39 AM
    Friday, February 8, 2019 1:37 AM
  • Hello,

    According to our description "When I execute python from Windows Service as child process it will not execute", whether we can not execute all the .exe program from Windows Service as child process or whether we can not execute only python.exe from Windows Service as child process?

    We can try to check if we configure the following (domain\local) group policy settings:

    Computer Configuration – Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker
    Computer Configuration – Policies – Windows Settings – Security Settings – Software Restriction Policy

    Is our computer a domain-joined computer?

    If it is a domain-joined machine:

    1. We can login with Administrator account.
    2. Open command prompt.
    3. Type gpresult /h C:\report.html.
    4. Click Enter.
    5. Open gpresult report to view if we configure the policy settings.


    If it is a non domain-joined machine:

    1. We open local group policy editor(open Run, type gpedit.msc, click OK).
    2. 
    Navigate to
    Computer Configuration – Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker
    Computer Configuration – Policies – Windows Settings – Security Settings – Software Restriction Policy
    3. View if we configure the policy settings.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 8, 2019 3:22 AM
    Moderator
  • Hi,
    If this question has any update? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 11, 2019 8:18 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 13, 2019 1:33 AM
    Moderator
  • hi

    thanks alot for the help

    i will update tomorrow after the session on that environment.. 

    Wednesday, February 13, 2019 6:32 PM
  • Hi,
    OK. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 14, 2019 10:49 AM
    Moderator
  • Hi All, Thank you very much for the help, All the suggest policies that were offered here - were empty.

    BUT

    the field that we did change was:

    Under “secpol.msc”

    Computer Configuration à Windows Settings à Security Settings à Local Policies à User Rights Assignment à Select “Create a token object” and add “Local Service” and “Administrators”

    This has solved our problem

    • Marked as answer by ilan.sch Friday, February 15, 2019 9:14 PM
    • Edited by ilan.sch Friday, February 15, 2019 9:15 PM
    Friday, February 15, 2019 9:14 PM
  • Hi,
    Thank you for your update and sharing. I’m very glad that the problem has been solved.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 18, 2019 2:35 AM
    Moderator