We have a Windows Service that sits and monitors our main Windows Service. It can query the service status, stop, start, and restart the service as required. It does so using the ServiceController class in .Net.
When installed using our installer, the services can be configured to use an existing Windows User account, or a new account can be created for the services. This user can be an Admin or a Non-Admin user. Either way, when installed, the monitor service is configured to start Automatically and the Main service is set to Manual, and the configured user account is explicitly granted all of the required permissions to control the Main service. I have double checked the DACL and confirmed that the user does indeed have permission.
Most of the time, the two services are installed on the same machine, but it is possible that they could be on different machines, so when new'ing up the ServiceController we pass in the service name and the IP address of the machine.
The issue is, on calling ServiceController.Start() we get the following Exception:
System.InvalidOperationException: Cannot open MyServiceName service on computer '127.0.0.1'. ---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace ---
at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)
at System.ServiceProcess.ServiceController.Start(String[] args)
at System.ServiceProcess.ServiceController.Start() ).
This happens only when the configured user is non-admin, using an IPv4 address, and only on Windows 10 since the 1709 update. This exception does not occur on any previous version of Windows, including all previous versions of Windows 10 (and yes, I have tested all of them, urgh). It also seems that the exception does not happen when using the hostname of the machine or "localhost", only when using an IPv4 address such as "127.0.0.1" or the actual IP of the machine.
The issue can be reproduced using the following little console program:
using System;
using System.ServiceProcess;
namespace ServiceStartTest
{
class Program
{
static void Main(string[] args)
{
try
{
var serviceController = new ServiceController("MyServiceName", "127.0.0.1");
serviceController.Start();
}
catch (Exception ex)
{
Console.WriteLine($"Exception caught: {ex}");
}
Console.ReadLine();
}
}
}
Run as a non-administrator user and replace "MyServiceName" with the installed name of a service you can control.
I'd really like to know what changed in 1709 that caused this and if there's a way around it other than using hostnames.