Problem with Logon.exe

Hi, SysOP!

Could you give me some clue to fix the following problem?

I am developing a system with sensors. I tried to use a sensor to log on and log off the Windows XP automatically. It works like this: the sensor communicates with the PC using USB port. If the system is locked, when the sensor tried to log on, it will send a message to the USB port. The PC runs a java application listening on the USB port. When the Java application receives a message from the USB port, it executes a batch file. The batch file is exactly as the following:

@echo off
Logon.exe -u sq8aaa -p %1
cls

The password is passed to the batch file in the Java application.

When the Java is executed, the system did not unlock. I also got the following message from "logon.log".

Tue Jan 13 16:44:25 2009 Access is denied.
Tue Jan 13 16:44:25 2009 Unable to start logon service (StartService failed).
Tue Jan 13 16:44:25 2009 Logon failed.

I am using Windows XP professional SP2 and my account privilege is administrator. I have turned off fast switch.

BTW, this application can unlock my computer using the "Logon.exe" before I reinstalled my OS sometime ago.

Could you give me some clue to fix this problem? It would be the best if you can contact me through email. My email is yangka2007@gmail.com

Thanks very much!

The clue is here "Access is denied." Basically, the user account running your Java application doesn't have sufficient permissions to create services.

Internally the logon utility installs temporary service, runs it and then deinstalls it. The account needs to have SC_MANAGER_ALL_ACCESS privileges in order to be able to perform the required operations. Typically an admin account is required for that, but a regular account can be also granted the required privileges

Hope this explanations helps.

Thanks for your instant reply! Your explanation does make the problem clearer for me. But I still don't know how to fix it. The account running the Java application is administrator. How can I check whether the SC_MANAGER_ALL_ACCESS privileges are granted to the account?

Thanks!

Please open Control Panel -> Administrative Tools -> Local Security Policy and then in User Rights Assignments check if the user can Logon as a service, Create a token object, Replace a process level token privileges and at the same time is not listed in Deny logon as a service. If neccessesary make required changes and then logoff/logon this user to make your changes effective. In case this is a network-based user, you would need to make changes using the Active Directory admin tools rather the Local Policy applet. Network user privileges override local user privileges.

Hi, Sysop,

Thanks very much for your help. However, after I changed the "local security settings" as your mentioned, the system log still shows the same result:

Tue Jan 20 12:28:23 2009 Access is denied.

Tue Jan 20 12:28:23 2009 Unable to start logon service (StartService failed).
Tue Jan 20 12:28:23 2009 Logon failed.

Is there any other setting I should change?

Thanks very much!

Hi,

Can you try logging in using a different admin account and starting that Java program using that other account?

Also, you can try enabling system security auditing. This way you can find out which specific action/privilege Windows didn't like and denied. In case security auditing is already enabled, you can check Windows Security Event log to find out more details about the issue.

Hi, SysOp,

Thanks very much for you recent replies. I tried to fix the problem through the way you told me but failed.

Firstly I created another admin account and runs the java application using this account. But still get the same error message. Then I enables the event auditing and security auditing. Then I checked the "Event Viewer" under "Control Panel->Administrative Tools", but I am not sure whether this is the right place to check the log. Here, in the "Application" tab, no event relative to Logon was audited. No event relative to Logon in "Security" neither. In the "System" tab, an event typed "Error" was recorded. The "Source" is Service Control Manager, "Category" is None, "Event ID" is 7000, "User" is N/A. The description is as follows:

The Logon Service failed to start due to the following error:
Access is denied.

I was also redirected to this info for trouble shooting:

Details:
Product: Windows Operating System
ID: 7000
Source: Service Control Manager
Version: 5.2
Symbolic Name: EVENT_SERVICE_START_FAILED
Message: The %1 service failed to start due to the following error: (nothing was actually shown here)

Explanation

Service Control Manager (SCM) could not start the specified service, probably because the service is not configured correctly.

User Action

Do one or all of the following:

* Review the error information displayed in the message.
* Verify that the service password has not expired.
* Verify that the service is in the correct location.
* Verify that the service is not infected with a virus.
* To display the WIN32_EXIT_CODE error that SCM encountered when trying to start the program, at the command prompt, type
sc query service name
The information displayed can help you troubleshoot possible causes for the error.

If the WIN32_EXIT_CODE is zero, then SCM did not attempt to start the service because the error was detected first.

I have enabled this user account to be able to : create a token object, logon as a service, replace a process level token.

This problem really drives me mad......

Hope you can shed some light on me......

Thanks!

When did you restart this system last time?

Did you restart the system after making changes in security settings?

My guess there is still an issue with "run as a service" privilege. Your changes in security settings somehow are not effective. Perhaps they will work for you after you restart the system. If it was an issue with user password, the create service operation would fail too. The funny thing is that the account has sufficient privileges to create services and delete them, but not to run.

Also check just in case if you have another service with the same Logon name but for a different user account. You can check that in the services applet or just try running from command line
NET start "Logon"

Hi, SysOp,

Thanks for your reply!

What is the service name for logon in the service applet? Is it "Secondary Logon"?

And how to check the "Logon Name" you mentioned in your last post? Is it "Log on as"?

It is actually simple "Logon" word; and to improve wording of the previous posting ...

	Quote:
	Also check just in case if you have another service with the same "Logon" name but for a different user account. You can check that in the services applet or just try running from command line NET start "Logon"

Mhm......There is no service named "Logon" in the service applet on my computer. Could that cause the problem? How to start this service? Thanks!

That's actually good. I suggested to check a "what if" case. What if there is already a service which such name and different user, which is causing the problem.

So we can conclude now that this is a pure security issue, not a conflict with another service. The user has sufficient permissions to create service and start it, but the service cannot start because some of the resources it needs are simply not available to the user, and this is causing to service start to fail. The required resources are typically available to all local admin accounts, there must be something on your system which has been modified from the default or somehow blocked (antivirus?).

If this is a test system, I suggest giving the affected user admin privileges using Local Security Policy applet in Windows Administrative tools as well as "Create a token object", "Create global objects", and "Act as a part of the operation system" and see if that help. If yes, you can then take these privileges out one by one and find out later which is one is the root cause of the issue.

IMPORTANT: Please ensure that after changing security settings you either restart the system or use full logoff/logon. Windows caches security settings, your security settings changes are not effective until you have the user logon to the system again (simple desktop locking/unlocking is not a substitute for that)

Hi, SysOp,

Finally I know what causes the problem. I don't know how to explain it technically, but the problem lies in the folder that the Logon.exe exists. That folder was copied from another computer, so I guess the privileges are inherited from that computer. Even though I have full control of the files with in it, the permission with the folder prevents Logon to work.

Actually, I verified the permissions with that folder quite a long time ago and changed permissions to "full control". However, the change now seems not effective at all.

Thanks for your timely and patient help these days! I really appreciate that!

Best,
sq8aaa