423,818 Members | 2,250 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 423,818 IT Pros & Developers. It's quick & easy.

"Requested registry access is not allowed." and performance counte

P: n/a
I'm writing a Web Service and I would like to add performance counter data
for monitoring performance of the Web Service's operations over time and load.

The problem is, I get the "Requested registry access is not allowed."
SecurityException when I try and create the performance counter category via
PerformanceCounterCategory.Create().

I understand the login used to run the Web Service does not have access to
the registry keys PerformanceCounterCategory is trying to access. The only
similar references I could find involve EventLog registry entries (KB 329291)
or granting access to PerfLib registry key. But adding ASPNET to the PerfLib
key doesn't help.

I'm not fond of having the category and the counters persist beyond the life
of the web service (they don't make sense when it's not running) so, I'd
rather not go the route of creating an Installer assembly and using
EventLogInstaller as part of an installation process, as one of the options
described in KB 329291.

I'd also like to avoid having to grant full trust to any assemblies. The
one option is to create a APTC FullTrust assembly to do the category creation
and counter incrementing; but, that complicates installation more than I'd
like.

Is it possible to simply grant a user rights to a set of registry entries to
get around this, or is there another solution besides the above, or is one of
the above the "recommended" solution for this issue?

--
http://www.peterRitchie.com/

Jun 15 '06 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Hi Peter,

Thank you for posting here.

From your description, you're dynamically creating
PerformanceCounter/Category in your ASP.NET webservice's code, however,
you're euncountering smoe security exception against the registry accessing
at runtime, correct?

Based on my experience, there does exists some issues regarding on the
ASP.NET idenitity doesn't have sufficient permission for accessing certain
registry entry. For your scenario, your ASP.NET application is running on
XP box, by default the ASP.NET process idenitity is the machine\ASPNET
account, however, I'm wondering whether you've used any other security
related setting in IIS or ASP.NET such as impersonation which could change
the default process idenitity of ASP.NET. You can verify this in your web
application, and here is a kb article introduce the ASP.NET process
identity:

#Process and request identity in ASP.NET
http://support.microsoft.com/?id=317012

Also, since the security exception is still complaining about the registry,
I suggest you use the regmon tool to trace the registry accessing failure,
this tool is very good at capturing reigstry access problem:

http://www.sysinternals.com/utilities/regmon.html

BTW, to help make the troubleshooting simplifed, I suggest you keep your
ASP.NET application running as "Fulltrust" mode(this is the default mode if
you haven't explicitly change the Trust level in your machine.config or
web.config).

Hope this helps.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Jun 16 '06 #2

P: n/a
Hi Steven. Thanks for the reply. Had a server-down situation, so it took me
a couple of days to get back to this...

After some inspection with RegMon it would appear that the ASPNET account
also needs full control over HKLM\System\CurrentControlSet\Services. I tried
several advanced permissions options, like "this key only" and "Set Value"
and "Create Subkey"; but could only get it to work if I can the ASPNET
account full control over HKLM\System\CurrentControlSet\Services--which
doesn't give me a warm-and-fuzzy.

Doing that gets rid of the "Requested registry access is not allowed"
exception text. The process gets further, by creating the
Performance-counter--related sub-keys in
HKLM\System\CurrentControlSet\Services; but,
PerformanceCounterCategory.Create now raises a Win32Exception with Message
property equal to "The handle is invalid" or ErrorCode == 0x80004005.

--
http://www.peterRitchie.com/
"Steven Cheng[MSFT]" wrote:
Hi Peter,

Thank you for posting here.

From your description, you're dynamically creating
PerformanceCounter/Category in your ASP.NET webservice's code, however,
you're euncountering smoe security exception against the registry accessing
at runtime, correct?

Based on my experience, there does exists some issues regarding on the
ASP.NET idenitity doesn't have sufficient permission for accessing certain
registry entry. For your scenario, your ASP.NET application is running on
XP box, by default the ASP.NET process idenitity is the machine\ASPNET
account, however, I'm wondering whether you've used any other security
related setting in IIS or ASP.NET such as impersonation which could change
the default process idenitity of ASP.NET. You can verify this in your web
application, and here is a kb article introduce the ASP.NET process
identity:

#Process and request identity in ASP.NET
http://support.microsoft.com/?id=317012

Also, since the security exception is still complaining about the registry,
I suggest you use the regmon tool to trace the registry accessing failure,
this tool is very good at capturing reigstry access problem:

http://www.sysinternals.com/utilities/regmon.html

BTW, to help make the troubleshooting simplifed, I suggest you keep your
ASP.NET application running as "Fulltrust" mode(this is the default mode if
you haven't explicitly change the Trust level in your machine.config or
web.config).

Hope this helps.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights

Jun 21 '06 #3

P: n/a
Hello,

When get the exception "The handle is invalid", are there any Access Denied
in the regmon log? You may also monitor it with another utility named
"Filemon" ( same from www.systeminternal.com), which can monitor access on
files I/O.

Also, to confirm it is a security issue, you may try run your applicaiton
in full trust and under a local administrator account; if this can make it
work, than change them back and monitor it with filemon&regmon. They may
help us find something.

Reagrds,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Jun 22 '06 #4

P: n/a
I believe there was no access denied entries in the Regmon log; I'll
double-check and repost if there were some.

I'll try with an admin account (an application performing the same action
running in the admin account works fine); but, my guess is it will work fine.
I'll spark up filemon with regmon and run some tests and let you know.

Thanks,
--
http://www.peterRitchie.com/
"Luke Zhang [MSFT]" wrote:
Hello,

When get the exception "The handle is invalid", are there any Access Denied
in the regmon log? You may also monitor it with another utility named
"Filemon" ( same from www.systeminternal.com), which can monitor access on
files I/O.

Also, to confirm it is a security issue, you may try run your applicaiton
in full trust and under a local administrator account; if this can make it
work, than change them back and monitor it with filemonĀ®mon. They may
help us find something.

Reagrds,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights

Jun 22 '06 #5

P: n/a
Thank you for the reply. I will be here and wait for your update.

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Jun 23 '06 #6

P: n/a
Hi Luke.

I switched the aspnet_wp.exe user from ASPNET to administrator and re-tried
the code. There were no exceptions (i.e. no Win32Exception with message ==
"invalid handle").

There were also no ACCESS DENIED reported by regmon or filemon with the
aspnet_wp.exe user being ASPNET or administrator.

There are a few BUFFER OVERFLOW results from some of the performance counter
registry entries though, with either user.
--
http://www.peterRitchie.com/
"Peter Ritchie" wrote:
Hi Steven. Thanks for the reply. Had a server-down situation, so it took me
a couple of days to get back to this...

After some inspection with RegMon it would appear that the ASPNET account
also needs full control over HKLM\System\CurrentControlSet\Services. I tried
several advanced permissions options, like "this key only" and "Set Value"
and "Create Subkey"; but could only get it to work if I can the ASPNET
account full control over HKLM\System\CurrentControlSet\Services--which
doesn't give me a warm-and-fuzzy.

Doing that gets rid of the "Requested registry access is not allowed"
exception text. The process gets further, by creating the
Performance-counter--related sub-keys in
HKLM\System\CurrentControlSet\Services; but,
PerformanceCounterCategory.Create now raises a Win32Exception with Message
property equal to "The handle is invalid" or ErrorCode == 0x80004005.

--
http://www.peterRitchie.com/
"Steven Cheng[MSFT]" wrote:
Hi Peter,

Thank you for posting here.

From your description, you're dynamically creating
PerformanceCounter/Category in your ASP.NET webservice's code, however,
you're euncountering smoe security exception against the registry accessing
at runtime, correct?

Based on my experience, there does exists some issues regarding on the
ASP.NET idenitity doesn't have sufficient permission for accessing certain
registry entry. For your scenario, your ASP.NET application is running on
XP box, by default the ASP.NET process idenitity is the machine\ASPNET
account, however, I'm wondering whether you've used any other security
related setting in IIS or ASP.NET such as impersonation which could change
the default process idenitity of ASP.NET. You can verify this in your web
application, and here is a kb article introduce the ASP.NET process
identity:

#Process and request identity in ASP.NET
http://support.microsoft.com/?id=317012

Also, since the security exception is still complaining about the registry,
I suggest you use the regmon tool to trace the registry accessing failure,
this tool is very good at capturing reigstry access problem:

http://www.sysinternals.com/utilities/regmon.html

BTW, to help make the troubleshooting simplifed, I suggest you keep your
ASP.NET application running as "Fulltrust" mode(this is the default mode if
you haven't explicitly change the Trust level in your machine.config or
web.config).

Hope this helps.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights

Jun 23 '06 #7

P: n/a
Hi Peter,

Thank you for the information. So, it is still a permission issue since the
error disppeared after you change the identity. If you change it back and
moniter with regmon & Filemon, can you get some Access denied error in the
log file?

Additionally, ccan you explain more abou the error "BUFFER OVERFLOW"? how
did you find it?

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Jun 26 '06 #8

This discussion thread is closed

Replies have been disabled for this discussion.