Windows服务使用本地系统帐户启动的可执行文件无法访问网络共享 [英] Executable started by a windows service using the local system account cannot access network shares

问题描述

我有一个由Windows服务启动的可执行文件，该程序将在客户计算机上运行，​​并且需要连接到远程共享以执行特定任务.此份额是由客户通过用户界面指定的，因此我们不事先知道，这意味着它不能被硬编码"，也不能被预先映射.

I have an executable that is started by a windows service, this program will be run on a customers machine and will need to connect to a remote share to perform a particular task. This share is specified by the customer via a UI, so we do not know this in advance meaning it can't be "hard-coded", or the share mapped in advance.

以前，我们要求客户登录其计算机并在登录时运行可执行文件，但我们一直希望允许我们的程序在服务中运行，而无需登录，主要是为了简化操作为客户服务，并防止任何意外注销关闭我们的软件.因此，这也意味着我们不知道客户计算机上存在哪些本地用户帐户，因此我们必须使用本地系统帐户来启动服务.

Previously we required the customer to log on to their machine and run the executable on log-on , but we have always wanted to allow our program to run within a service and not require a log-in, primarily to make it easier for the customer and prevent any accidental log-outs shutting down our software. So this also means we don't know what local user accounts exist on a customers machine, so we have to start the service using the local system account.

如上所述，我们现在有一个包装器服务，用于启动可执行文件并执行各种任务.在大多数情况下，这似乎可以正常工作，并且可以正常访问底层网络-我们软件的目的主要是捕获数据包等.

We now have, as mentioned above, a wrapper service to start the executable and perform various tasks. This appears to work fine in most cases and accesses the underlying network fine - our software's purpose mainly involves capturing packets etc.

但是，当软件尝试连接到Windows共享(UNC名称)时，它无法连接.而如果该可执行文件是手动启动的，则可以正常连接.

However, when the software tries to connect to a windows share (UNC name) it cannot connect. Whereas if the executable was started manually it connects fine.

我通常看到的解决此类问题的建议似乎都说使用用户帐户，因为系统帐户无法访问网络共享，但是在我们的情况下这是不可能的.还有其他方法可以使它正常工作吗?

The suggestions I have generally seen to resolve these kind of issues appear to all say use a user account as the system account cannot access network shares, but in our case this isn't possible. Is there any other way we could get this to work?

我忘了提到此应用程序可以(并且通常会在)Win2K而不是XP上运行，我想说的很对，就是在XP之前不可以使用本地网络帐户?/strong>

I forgot to mention that this application could (and most commonly will be) run on Win2K not XP, and I think I'm right in saying that the Local Network account is not available before XP?

推荐答案

如果您可以更改Windows服务，使其在网络服务帐户下运行，则您的可执行文件将能够访问网络共享(这是为什么这样做的原因之一.网络服务帐户已创建).

If you can change your windows service so that it runs under the Network Service account, then your executable will be able to access network shares (this is one reason why the Network Service account was created).

本地系统和本地服务帐户没有任何网络凭据，因此无法在网络上进行身份验证.这是设计使然.

The Local System and Local Service accounts do not have any network credentials, and thus can't be authenticated on the network. This is by design.

IIRC，它是Server 2003中引入的网络服务帐户，并已添加到其中一个XP Service Pack中.

IIRC, the Network Service account was introduced in Server 2003, and added to one of the XP service packs.

如果您不能依靠可用的网络服务帐户，则可以考虑创建一个专用域帐户，将该帐户的凭据存储在某个位置，从服务内部读取它们，然后登录并模拟该用户，然后再访问网络分享.另外，Windows服务可以直接作为专用帐户运行，在这种情况下，它将需要登录即服务"特权.

If you cannot rely on the Network Service account being available, then you might consider creating a dedicated domain account, storing the account's credentials somewhere, reading them from inside your service, then loging in and impersonating that user prior to accessing the network share. Alternatively, the windows service could run as the dedicated account directly, in which case it would require the "logon as a service" privilege.

这篇关于Windows服务使用本地系统帐户启动的可执行文件无法访问网络共享的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！