I am creating a Windows Service in C++.
I want to allow the Windows Service to update itself (upon a certain trigger) by running msiexec /p patch.msp /quiet /qn.
I am currently using the Windows function CreateProcessW to achieve this, and it works correctly as long as the service is running as Local System. The service creates a new process which executes the msiexec command, and the service is updated correctly. However, I require the service to run as another user, not Local System. I have configured Log On As user for the service, and granted the user the necessary permissions for the service to do its tasks. Everything about the service works when running as the other user, except this msiexec command.
Although the service successfully issues the msiexec command, the actual installation is failing with the following msi log:
=== Verbose logging started: 2/13/2024 17:11:03 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (E8:64) [17:11:03:661]: Resetting cached policy values
MSI (c) (E8:64) [17:11:03:661]: Machine policy value 'Debug' is 0
MSI (c) (E8:64) [17:11:03:661]: ******* RunEngine:
******* Product: {*******}
******* Action:
******* CommandLine: **********
MSI (c) (E8:64) [17:11:03:663]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (E8:64) [17:11:03:663]: Grabbed execution mutex.
MSI (c) (E8:64) [17:11:03:671]: Failed to connect to server. Error: 0x80070005
MSI (c) (E8:64) [17:11:03:673]: Note: 1: 2774 2: 0x80070005
1: 2774 2: 0x80070005
MSI (c) (E8:64) [17:11:03:674]: Failed to connect to server.
MSI (c) (E8:64) [17:11:03:674]: MainEngineThread is returning 1601
=== Verbose logging stopped: 2/13/2024 17:11:03 ===
I have tried these other scenarios, which work fine:
- Opening a cmd prompt as the user and running the service exe from that console (not as a service) results in the
msiexeccommand working correctly! - Adding the user to the Administrators group allows the service to issue the
msiexeccommand correctly!
I have researched the issue--I know 0x80070005 is an "Access denied" code without further explanation. I have found these issues:
- What's stopping my windows service from running an MSI installer? Administrative installation is not applicable, I don't think.
- Windows service calling msiexec does not update the service *Silent install msi from a windows service local service account
None of these answer my question exactly, though they come close. It seems like it may be a problem that the service is creating a process that is not interactive, or in session 0, and that these might interfere with msiexec.
- Is there a permission or user right or group I can add to my service's user that will allow
msiexecto run correctly? (besides adding the user to Admin) - Is there some parameter in
CreateProcessWand adjacent functions that might be required, maybe? - If it's not possible using this method, why? The above posts reference session 0 and interactivity, but the service works correctly when the user is an Admin, while the service is still running in session 0 and and without interactivity. Any explanation or intuition about any of this is welcome.
- Any other ideas for achieving my goal with other methods?