RE: folder virtualisation

Hi Jeffry,

looks like it is working now after adding security attribute.

Thank you very much
--
Ashnah is a innovative software development company


""Jeffrey Tan[MSFT]"" wrote:

Hi Ashnah,

Thank you for feedback the further information.

Yes, I see your concern. However, your problem looks like a security
configuration issue. I do not think this security problem can be resolved
by providing sample code. It is most possibly caused by improperly Windows
account security configuration. Furthermore, coding a sample Windows
Service+Named pipe project requires a lot of time and is not a trivial
task.

With your further information, it seems that your client GUI application is
not running under an Administrator account, yes? This looks like an
important clue. I suspect when your Windows Service running under
LocalSystem account created the named pipe with CreateNamedPipe API, the
default DACL assigned to the pipe does not grant the normal user account
read/write permissions. It may only grant Administrators group and
LocalSystem account WRITE pemission. This is a normal situation.

To check the exact DACL list of the created pipe, I recommend you download
Process Explorer from the link below:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExp
lorer.mspx

Then, you may use the steps below to examine your pipe handle security DACL:
1. In Process Explorer, you can press "Ctrl+H" to switch the lower panel to
show all handles in a process.
2. You may choose your Windows Service process in the process list
3. You can click the "Type" column in lower panel to order the handles by
type
4. Look "File" type handle in the lower panel and find your Named Pipe
handle
Note: the Named Pipe handle will have name like "\Device\NamedPipe\...", so
it is easy to identify your pipe handle
5. Double click the handle to bring up the property dialog and switch to
"Security" tabpage.
6. Examine the DACL in the dialog to check whether it will not grant Users
account write permission

Once, you can determine the DACL of your pipe object does not grant write
permission to user account, you may pass a dedicated security descriptor
the last parameter of CreateNamedPipe to grant WRITE permission to your
client application user account. If you need some sample code regarding how
to pass SECURITY_ATTRIBUTES to add a customized allow ACE, the link below
contains some code snippet:
http://www.codeguru.com/forum/archive/index.php/t-301326.html

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: I cant access windows updates - Error number: 0x800A0046
    ... Start a free Windows Update support incident request: ... Support for Windows Update: ... When you call, clearly state that your problem is related to a Security Update and cite the update's KB number. ... Verify the Local Administrator and Service account are added to the ...
    (microsoft.public.windowsupdate)
  • RE: folder virtualisation
    ... I do not think this security problem can be resolved ... account security configuration. ... LocalSystem account created the named pipe with CreateNamedPipe API, ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • Re: Named Pipes Restriction
    ... your named pipe application runs under certain ... the customer machine to grant the enough right to that account. ... all the security settings for the user accessing account Named ... Microsoft Online Community Support ...
    (microsoft.public.win32.programmer.kernel)
  • Problem: Events 1085, 1202, services.exe failing
    ... see Help and Support Center at ... The Group Policy client-side extension Security failed to execute. ... No mapping between account names and security IDs was done. ...
    (microsoft.public.windows.group_policy)
  • Re: problem with pipes IPC
    ... create the pipe it works fine. ... admin to non-admin, then non-admin user cannot create pipe with the ... This is probably an issue of security. ... the non-admin account could spoof an administrative account by creating a pipe of the same ...
    (microsoft.public.vc.mfc)