2

In my factory we are working on Tools, sometimes we are doing alignment manually and sometimes we are connecting to the computer of the Tool using Remote Desktop Connection or VNC.

For more security i created an application that can block Remote Desktop Service when working on alignment for protecting people from injury.

The application is working on Windows XP and Windows 7 but i have an issue with Windows 10.

i use these services:

"SessionEnv"
"TermService"

So when i enable the connection I'm starting these services using this code:

List<string> service_name = new List<string>()
    {
        "SessionEnv",
        "TermService"
    };

private void Start_Click(object sender, RoutedEventArgs e)
    {
        try
        {
            if (!windows.Contains("Windows XP"))
            {
                foreach (var service in service_name)
                {
                    ServiceController sc = new ServiceController(service);
                    status = Get_Status(service);

                    if (status == "Running")
                    {
                        continue;
                    }

                    else if (status == "Stopped")
                    {
                        sc.Start();
                    }
                }
                count_running = 2;
                count_stopped = 0;
            }

            if (vnc_installed == true)
            {
                Start_VNC();
            }

            ni.ShowBalloonTip(500, "Remote Desktop Enable/Disable Application", "Remote Desktop Connections are enabled", ToolTipIcon.Info);

            startup_status = "Open";

            File.WriteAllText("c:\\temp\\Startup.txt", startup_status);
        }

        catch (Exception ex)
        {
            System.Windows.MessageBox.Show(ex.Message);
        }
    }

and for disabling the connection:

private void Stop_Click(object sender, RoutedEventArgs e)
    {
        try
        {
            if (!windows.Contains("Windows XP"))
            {
                foreach (var service in service_name)
                {
                    ServiceController sc = new ServiceController(service);
                    status = Get_Status(service);

                    if (status == "Running")
                    {
                        sc.Stop();
                    }

                    else if (status == "Stopped" )
                    {
                        continue;
                    }
                }
                count_running = 0;
                count_stopped = 2;
            }

            if (vnc_installed == true)
            {
                Close_VNC();
            }

            ni.ShowBalloonTip(500, "Remote Desktop Enable/Disable Application", "Remote Desktop Connections are disabled", ToolTipIcon.Info);

            startup_status = "Close";
            File.WriteAllText("c:\\temp\\Startup.txt", startup_status);
        }

        catch (Exception ex)
        {
            System.Windows.MessageBox.Show(ex.Message);
        }
    }

Everything is working fine in Windows XP and 7 like i said but in Windows 10 when i'm trying to stop the service "SessionEnv", instead of changing his status to "Stopped" it stucks on status "Stopping". The only solution to get it running again is to kill the process named: "Service Host: Remote Desktop Services"

and of course i'm getting this error: "Cannot open SessionEnv service on computer"

Thank you for your help

edit: After more testing i found that if i'm opening the Application through Visual Studio everything work, if i'm opening the Application from the bin/Debug folder i'm getting the error.

dadou
  • 45
  • 1
  • 11
  • I did more test on different computer. No issue with Windows 7 everything works. On windows 10 i have the issue, but only when i'm using the .exe outside VS. In VS i have no issue on Windows 10. Can't understand what i missed. – dadou May 21 '23 at 12:58
  • 1
    Stopping a service requires admin privileges. Tends to be easy to do in VS, just run it elevated. But when you run it by hand then you have to take care of it yourself. Avoid mistakes by demanding elevation [in the manifest](https://stackoverflow.com/a/2818776/17034). – Hans Passant May 21 '23 at 17:40
  • I tested on my personal computer with "run as admin" and it works perfect like you said.That's the difference between Win 7 and Win 10,11. If i can't have the admin privileges because it's on our Tool in my work, so there is no solution right? thank you. – dadou May 22 '23 at 05:58
  • 2
    Ideally, you or an admin would give the proper privileges to be able to manage services. Check the permissions on `C:\Windows\System32\sc.exe` (ServiceController). – thewallrus May 22 '23 at 12:36

1 Answers1

0

The situation described looks exactly as mentioned in comments: the application require admin privileges to control the services. Whether the admin privileges are needed, it all depends on the environment setup of the computer and domain rules ~ (e.g. if the UAC is enabled; if controlling service must have admin privileges and what privileges have current account).

As I understand, OP knows that admin access is needed and issue is more about getting the right settings applied/having access granted. Following that, I prepared list of "common domain setups" that I've usually seen applied:

  1. The simplest - local admin: Run the applicaiton as a local admin. You ask Your administrator to set your account to be "local admin for the computer" and this will allow you to control the services (but not just them!). It works when having few computers and only single account.

  2. More general - shared account: Once you have multiple computers, this suddenly start to be hell to manage (as you must ask for this privileges on all computers, multiple users, etc...). An alternative is to have secured "domain-wide account" that could be logged-on from each computer, and that would have applied GPO. This GPO would allow this account to start/stop services. You can ask domain-admin to create such user for you and apply the GPO on it. The issue is that you must share password for this account and only that account would have the permission. Usually this is not secure, but have the work done. Generally, I discourage to use it!

  3. The most general - domain group with all users/GPO applied: When have multiple accounts, you would instead ask domain admins to create "domain group" and assign all the necessary users to this group. The same GPO (as in prev. step) needs to be applied to whole group ~ this will grant each user a permission to start/stop services and solve the issue. You wouldn't need to log as an administrator AND it would not block the application only on "provided accounts", not everywhere.

The latest solution is the most "clean", but require the most work from both you (get list of all accounts) and the admins (create group, add users, enable GPO).

From programming side, there is quite nice and exensive answer on controlling service as from non-admin account.

Tatranskymedved
  • 4,194
  • 3
  • 21
  • 47