[Mongrel] Mongrel as Windows service with normal privileges

Ingmar Stieger ml at stiegerhs.de
Thu Jun 5 10:19:03 EDT 2008

Luis Lavena wrote:

> Hmn, looks like user web user is too limited to do anything.  

Interesting: The result of proc_info.exe is different when I log in 
interactively with the "web" user:

EnumProcessModules (PID, name): 228       proc_info.exe
Module32First (PID, name): 228            proc_info.exe
GetProcessImageFileName (PID, name): 228  

EnumProcessModules (PID, name): 3312      cmd.exe
Module32First (PID, name): 3312           cmd.exe
GetProcessImageFileName (PID, name): 3312 
Press Enter.

The previous attempt with "runas" had PID 244 as parent process id, 
which at that time was "svchost.exe". The full process hierarchy looked 
like this (gathered with Process Explorer):

System - smss.exe - winlogon.exe - services.exe - svchost.exe - 

It seems not to be only the user, but also the way the executeable is 
started. The "web" user may query its parent process if it is cmd.exe, 
but not if the parent is svchost.exe. I do not know how svchost starts 
its child processes, but apparently with less rights than the command 
shell does...

> How normal is normal? I mean, it can log in? it has applied some group
> policy stuff in it?
> Just for the sake of testing, can you create a "limited" account using
> the control panel and try running proc_info.exe with it?
> With that info maybe I can figure out what's wrong.
> Thanks for your time,

The "normal" user may run the whole rails stack as service without 
problems. I hacked ServiceFB_Utils.bas to ignore the result of 
parent_name, and now it works as expected (btw, you are right, FreeBasic 
isnt' that hard :)) with limited rights. The test was run on the 
isolated XP home machine, so no group policies are in effect.

Hope this helps,

More information about the Mongrel-users mailing list