26

On an XP machine there is a private messagequeue that was created by a .net service. When I want to access this private queue in a VB6 application I keep getting an "Access is denied" error. So it seems this is a security issue, only I don't understand why even when I am logged on as an administrator I still can't have access to queue that was created on the same machine. Is there something else I have to take into account.

Sample on how I use the queue in VB6

Public msgQueue As MSMQQueue

Private Sub OpenQueue()

    Dim MQ As New MSMQQueueInfo
        MQ .PathName = ".\Private$\incommingQueue"

    Set msgQueue = MQ.Open(MQ_RECEIVE_ACCESS, MQ_DENY_NONE)

End Sub
Mez
  • 2,817
  • 4
  • 27
  • 29
  • Have you checked the security for the queue? The ACLs are in the queue properties and look just like folder properties. – AJ. Apr 23 '09 at 13:11
  • If I try to modify the queue's properties, I just receive the same message "access denied". – Mez Apr 23 '09 at 18:13

2 Answers2

53

This can happen if the .NET Service removed the "Everyone" group from the permissions the private queue. Here are some steps you can take to resolve this:

  1. Stop the MSMQ Service

  2. Open the folder C:\WINDOWS\system32\msmq\storage\lqs

  3. Find the file in this folder that describes your queue -- (incommingQueue)

  4. Using notepad, open the lqs file for some other private queue that has good security permissions. (If you don't have any other private queues create one)

  5. Locate the line in the file that begins Security=....

  6. Copy the whole line to your clipboard (watch out for Word Wrap, this line will be quite long)

  7. Open the lqs file for your problem queue in your text editor

  8. Overwrite the Security=... line in this file with the contents of your clipboard

  9. Save the modified lqs file

  10. Start the MSMQ service

You should find that the problem queue now has the same permissions as the queue whose security settings you copied at step 6 above.

Jose Basilio
  • 50,714
  • 13
  • 121
  • 117
  • 1
    This sounds like a horrendous hack. *Surely* it can be done through the queue's properties, as described in the answer below. https://stackoverflow.com/a/3138438/1158692 – Grimm The Opiner Jun 06 '17 at 08:26
  • UI for viewing queue porperties isn't available because the services won't start... and that's because one of my queues is in an inconsistent state. This hack is my only way out. Let me check. – KSK Sep 08 '20 at 03:00
27

The solution posted here seems a bit of a hack. Perhaps this is necessary for Windows XP. I've encountered something similar using Windows 7 and used a different approach to solve this.

Situation:

  • Program consists of C# code that creates a private transactional queue
  • Program is run as a windows service, running on the Local System account.
  • When the service is run, the private queue is created with the Local System account as the owner.
  • Even though I am administrator, I can't inspect the messages from the queue.

Solution (this is for Windows 7):

  1. Run compmgmt.msc
  2. Open 'Services and Applications'
  3. Open 'Message Queues'
  4. Open 'Private Queues'
  5. Right-click the newly created queue
  6. Click 'Properties'
  7. Select the 'Security' tab
  8. Click 'Advanced'
  9. Select the 'Owner' tab
  10. Select 'Administrator'
  11. Select 'Permissions' tab
  12. Click 'Add'
  13. Type in the name of you account (e.g. 'Administrator')
  14. Click 'Check names'
  15. Click 'OK'
  16. Click 'OK'
  17. Click 'OK'

Now you can access the messages in the queue and also purge the queue if you would like to.

YuriW
  • 429
  • 5
  • 6
  • I've verified that this method works on Windows Server 2003. Great work. That other fix really did seem like a hack, and this one is much easier to accomplish. – Jason May 27 '11 at 09:41
  • I had to click the "Full Control" checkbox between steps 15 and 16, but other than that, yes this worked on my Windows 7 machine, and it much less of a hack than the other solution. –  Dec 19 '11 at 22:50
  • 2
    This does not work when the queue is created by a Windows service as the access to the queue is denied which is exactly the situation described in the original question. – Radu M. Apr 27 '12 at 11:15
  • This is the more obvious approach, but does not work in the case that nobody has granted "Set Permissions" right on the queue, or probably only the SYSTEM account or Network Service account has that privilege. If that is the case, then the "hack" is needed. – SalvadorGomez Oct 05 '12 at 16:13
  • I've verified that this method works on Windows Server 2008 R2 :) Thank you – Gabriel Espinoza Sep 04 '14 at 13:02