[wix-users] Deferred CustomAction in System context get access denied

Phill Hogland phill.hogland at rimage.com
Fri Dec 16 06:14:26 PST 2016


Here are the change details adding the SeDebugPrivilege prior to making the call.

https://github.com/wixtoolset/wix3/pull/189/commits/f743a7ebfad7cace9f1d3fb587e07811f201ee6f


________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Phill Hogland <phill.hogland at rimage.com>
Sent: Friday, December 16, 2016 8:01:50 AM
To: wix-users at lists.wixtoolset.org
Subject: Re: [wix-users] Deferred CustomAction in System context get access denied

I use:

 <util:RestartResource ServiceName="My_Service_Short_Name"/>


I worked on wix bug 4592 which was incorporated into 3.10 almost a year ago, to address this very issue where the user context of the target process is different than the user context which is trying to terminate the process.  The implementation makes a 'best effort' and particularly in a 'per user' scenario there may be some edge scenarios where it still will not be able to terminate the process.  But in 'per-machine' setups the existing implementation should meet your needs (or you can look at the wix source and implement similar API calls to add the necessary privileged to the calling thread, in your CA).



________________________________
From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of Ilir Bekteshi <ilir.sb at gmail.com>
Sent: Friday, December 16, 2016 3:44:55 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] Deferred CustomAction in System context get access denied

I'm having some problems with privileges when running a CustomAction in
deferred mode.

I want to kill some Service processes which could be running using
different user accounts from Local System to regular users, but the CA
succeeds only when the processes and the CA are executed as the same user.
Here are some cases and results:

"process1.exe" is a process running as the same user running the
installation. If the kill CA is run in System context using
Impersonate="no" the access is denied.
"process1.exe" is a process running as the same user running the
installation. If the kill CA is run in User context using Impersonate="yes"
the process is killed.

"process1.exe" is a process running as another user. If the kill CA is run
in User context using Impersonate="yes" the access is denied.
"process1.exe" is a process running as another user. If the kill CA is run
in System context using Impersonate="no" the access is denied

"process1.exe" is a process running as Local System. If the kill CA is run
in User context using Impersonate="yes" the access is denied.
"process1.exe" is a process running as Local System. If the kill CA is run
in System context using Impersonate="no" the process is killed.

<SetProperty Id="KillUserProcess"
Value='"[WindowsFolder]\System32\taskkill.exe" /F /IM process1.exe'
After="CostFinalize" />
<CustomAction Id="KillUserProcess" BinaryKey="WixCA" DllEntry="CAQuietExec"
Execute="deferred" Impersonate="no" Return="check" />

<SetProperty Id="KillSysProcess"
Value='"[WindowsFolder]\System32\taskkill.exe" /F /IM process2.exe'
After="CostFinalize" />
<CustomAction Id="KillSysProcess" BinaryKey="WixCA" DllEntry="CAQuietExec"
Execute="deferred" Impersonate="no" Return="check" />

<InstallExecuteSequence>
<Custom Action="KillUserProcess" After="InstallInitialize"></Custom>
<Custom Action="KillSysProcess" After="KillUserProcess"></Custom>
</InstallExecuteSequence>

Action=KillUserProcess,ActionType=3137,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\Windows\System32\taskkill.exe"
/F /IM process1.exe)
CAQuietExec:  "C:\Windows\System32\taskkill.exe" /F /IM process1.exe
CAQuietExec:  ERROR: The process "process1.exe" with PID 3164 could not be
terminated.
CAQuietExec:  Reason: Access is denied.
CAQuietExec:
CAQuietExec:  Error 0x80070001: Command line returned an error.
CAQuietExec:  Error 0x80070001: QuietExec Failed
CAQuietExec:  Error 0x80070001: Failed in ExecCommon method

Action=KillSysProcess,ActionType=3137,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\Windows\System32\taskkill.exe"
/F /IM process2.exe)
CAQuietExec:  "C:\Windows\System32\taskkill.exe" /F /IM process2.exe
CAQuietExec:  SUCCESS: The process "process2.exe" with PID 4596 has been
terminated.


If LocalSystem doesn't have the rights to kill the processes, who does?
Running these commands from Command Prompt work without problem when
elevated.
Even using psexec from SysInternal to run the command as System work
without a problem. Only when running through MSI are these issues faced.

Is it possible to make a Custom Action running as a System kill processes
not owned only by System?

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

____________________________________________________________________
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/


More information about the wix-users mailing list