[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: Re: Help! - WinVerifyTrust fails for non-Administrator
From: Peter Bodenmann <peter.bodenmann () GMX ! CH>
Date: 2000-12-17 22:17:25
[Download RAW message or body]
you can have a service running as SYSTEM spawn a command shell, e.g. start
schedule service and register a task 'cmd' to be started in a minute. From
this command shell you can run whatever process you want as SYSTEM.
hth
Peter
-----Original Message-----
From: Microsoft Cryptographic API
[mailto:CryptoAPI@DISCUSS.MICROSOFT.COM]On Behalf Of Paul Holmes
Sent: Freitag, 15. Dezember 2000 18:28
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: Re: Help! - WinVerifyTrust fails for non-Administrator
After a little more testing, here are the cases of running WinVerifyTrust
>from a WinNT service to authenticate a signature in a CAB file:
- Using system account to log on: error 800B010B, Generic trust failure
- Using Administrator account: hangs, presumably showing invisible
verification dialog (you can't see UI elements created by a service)
- Using Administrator account after running ChkTrust and selecting "Always
trust...": success (verification dialog is suppressed)
- Using normal user account: error 800B010B, Generic trust failure
- Using normal user account after registering initpki.dll while logged on
as that user: hangs on invisible verification dialog
- Using normal user account after registering initpki.dll and running
ChkTrust and selecting "Always trust...": success
So I gather that WinVerifyTrust (even when run from ChkTrust) will ALWAYS
fail for ANY user until this initpki.dll file is registered while logged on
as that user. Just how are we supposed to know that? I certainly didn't
see that mentioned in any documentation, and only noticed it by sheer luck
>from the archives in this discussion group. It's also pretty hokey that
you can't call WinVerifyTrust in unattended mode (i.e., without invoking
the verification dialog) until you've run ChkTrust and clicked the "Always
trust..." box.
Anyway, I'm now at the point where I can get a service logging on as a
"normal user" to work, but I want it to work when the service is logged on
using the system account. You can't log on as the system account yourself,
so how can you possibly register initpki.dll or run ChkTrust to get this
whole thing working? Is there another method for getting this done?
Carlos Lopez
<clopez@MICROSOFT.COM> To:
CryptoAPI@DISCUSS.MICROSOFT.COM
Sent by: Microsoft cc:
Cryptographic API Subject: Re: Help! -
WinVerifyTrust fails for
<CryptoAPI@DISCUSS.MICR non-Administrator
OSOFT.COM>
12/14/2000 06:11 PM
Please respond to
Microsoft Cryptographic
API
What error is WinVerifyTrust returning?
-----Original Message-----
From: Paul Holmes [mailto:Paul.Holmes@DONOVANDATA.COM]
Sent: Thursday, December 14, 2000 12:15 PM
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: Help! - WinVerifyTrust fails for non-Administrator
I'm writing a WinNT service which uses WinVerifyTrust to authenticate the
signatures in CAB files it downloads from my company's FTP server, but I'm
having problems.
On Win2000, it always works. But on WinNT 4.0, I get the following
results:
- when I log on as Administrator and run my code as a normal .EXE, it works
- when my service is set up to log on as Administrator, it works
- when my service is set up to log on using the system account, or with any
other user ID (including IDs that are members of the local "Administrators"
group), it fails!
At first I was just getting errors back from WinVerifyTrust. Then I saw
something in this discussion group about registering initpki.dll while
logged on as the user your service logs on with. I tried that, but now it
hangs on WinVerifyTrust. I'm guessing it's showing the verification
dialog, but since it's being run by a service, it isn't visible.
My ultimate goal is to have the service run under the system account, NOT
get the verification dialog, and return the correct results. Is this
possible?
If I'm asking a question with a documented answer, please tell me where to
find it. I've been all over MSDN but I have yet to see any worthwhile
documentation on the subject. Certainly WinVerifyTrust's documentation
doesn't mention anything about installing root certificates! Frankly, I've
been trying things blind and at random, so any recommendations about
quality docs would be appreciated.
Thanks in advance.
----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic