Windows 服务:在作为 LocalSystem 运行时侦听套接字 [英] Windows service: Listening on socket while running as LocalSystem
问题描述
我正在用 C 为 Windows 编写一个类似服务器的小程序(使用 MinGW/GCC,在 Windows 7 上测试),它最终应该作为使用 LocalSystem 帐户的服务运行.我正在创建一个套接字,并使用 Windows 套接字 bind()、listen() 和 accept() 来侦听传入的连接.如果我从命令行运行应用程序(即不是作为服务,而是作为普通用户),我从外部 IP 连接到它没有问题.但是,如果我使用 LocalSystem 帐户将程序作为服务运行,则只能从我自己的 PC 连接到该服务,使用 127.0.0.1 或我的本地地址 192.168.1.80(我在小型本地网络中的路由器后面).使用我的本地地址的同一本地网络中的外部 IP 和其他 PC 现在都无法连接,即使没有作为服务运行也没有问题.
I'm writing a small server-like program in C for Windows (using MinGW/GCC, testing on Windows 7) which is eventually supposed to run as a service with the LocalSystem account. I am creating a socket, and using Windows Sockets bind(), listen() and accept() to listen for incoming connections. If I run the application from the command line (i.e. not as a service, but as a normal user), I have no problems connecting to it from external IPs. However, if I run the program as a service with the LocalSystem account, I can only connect to the service from my own PC, either with 127.0.0.1 or my local address, 192.168.1.80 (I'm behind a router in a small local network). Neither external IPs nor other PCs in the same local network, using my local address, can connect now, even though there were no problems without running as a service.
现在,我听说当作为 LocalSystem 或 LocalService 运行时,网络的处理方式不同,甚至无法访问(?),或者服务无法同时访问桌面和网络(注意:我的服务不是交互式的)时间出于安全考虑.本质上,我需要找出出了什么问题/如何侦听服务中的连接.作为 NetworkService 运行与作为 LocalSystem 运行相同,但可以访问网络吗?肯定有可以作为后台服务运行的服务器,那他们是怎么做的呢?
Now, I've heard that networking is handled differently or even not accessible (?) when running as LocalSystem or LocalService or that services cannot access both the desktop and the network (note: my service is not interactive) at the same time due to security considerations. Essentially, I need to find out what's going wrong/how to listen for connections in a service. Is running as NetworkService the same as running as LocalSystem, but with network access? Surely there must be servers that can run as background services, so how do they do it?
更新:似乎关闭防火墙的建议是正确的——在 Windows 防火墙中添加例外后,我可以获得连接.我想我没有考虑防火墙,因为当您正常运行使用套接字的应用程序时,您会收到要求添加异常的提示,这在第一次运行服务时不会发生.有没有比手动将规则添加到防火墙更好的方法来处理这个问题?LocalSystem 是否有权向防火墙本身添加规则,还是我必须在安装过程中以某种方式执行此操作?
UPDATE: It seems that the suggestions to turn off the firewall were on the right track – I can get a connection after adding an exception in the Windows Firewall. I guess I wasn't thinking about the firewall because when you run an application using sockets normally, you get a prompt asking to add an exception, which doesn't happen when a service is run for the first time. Is there a better way to handle this than adding the rule to the firewall manually? Does LocalSystem have the privileges to add a rule to the firewall itself or would I have to do this during installation somehow?
推荐答案
作为其他答案(来自 rkosegi 和 Ben Voigt) 建议,Windows 防火墙阻止了端口,因为我将可执行文件移动到不同的位置进行安装,并且因为服务不会导致连接已被阻止的通知(以及取消阻止应用程序的按钮)出现.我最终在 .bat 文件中使用 netsh advfirewall firewall add rule name="%name%" dir=in action=allow program="%path%" enable=yes 来轻松添加例外到防火墙.
As the other answers (by rkosegi and Ben Voigt) suggested, the Windows Firewall was blocking the port because I moved the executable to a different location for installation and because services do not cause the notification that a connection has been blocked (along with a button to unblock the application) to appear. I ended up using netsh advfirewall firewall add rule name="%name%" dir=in action=allow program="%path%" enable=yes in a .bat-file to easily add an exception to the firewall.
这篇关于Windows 服务:在作为 LocalSystem 运行时侦听套接字的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
