The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation


Service Protector 10: Advanced Sanity Checks for 100% Uptime

Service Protector 10: Advanced Sanity Checks for 100% Uptime

After months of coding and testing, we released Service Protector 10.0 on May 10. Here’s a quick rundown of what’s new in this release:

Restart your Windows Service if a specific drive letter isn’t available

Does your Windows Service use files or folders on a mapped drive?

Or is your service responsible for mapping a drive letter?

If so, you should use Service Protector’s newest sanity check to detect when the drive mapping fails and promptly restart your service.

With Service Protector watching the drive, you won’t need to rely on calls from your customers to alert you of a problem. And you won’t have to dial in at all hours to fix your failing software.

How to monitor a drive mapping

The “check drive mapping” sanity check is very easy to use. For example, here’s how to verify that the P drive is always available:

  1. Edit your service in Service Protector (or add a new one if you like).

  2. Switch to the Monitor tab.

  3. Check the Whenever it fails a periodic sanity check box and click the Set button to the right:

    Setup a sanity check to monitor your Windows Service
  4. In the window that comes up, select the Check that a drive is mapped entry and click Next to proceed:

    Choose the drive mapped sanity check
  5. Select the “P” drive:

    Select the P drive
  6. After clicking the Next button, specify how often Service Protector should check that the P drive is available. Every 5 minutes is probably good enough:

    Configure how often to check the drive mapping
  7. Click Next to continue.

  8. Finally, confirm that the sanity check is configured as you expect. Click Add if you’re satisfied:

    Confirm the sanity check
  9. Save your changes in Service Protector.

And that’s it. With the sanity check keeping watch, Service Protector will automatically recycle your service if your drive mapping fails.

Set a timeout when checking that a HTTP/HTTPS web server is responding

The web server sanity check now accepts a timeout parameter, to indicate how long to wait for a response from the server before failing the request.

Why the change?

Previous versions of Service Protector waited indefinitely for the web server to answer. However, that caused a problem for a customer monitoring Microsoft’s IIS service.

For some unknown reason, his IIS would occasionally stop serving pages. When that happened, his users accessing the site from a browser would see an error indicating that the site was inaccessible. He configured Service Protector to check his site every couple of minutes and restart IIS if the URL stopped responding.

But it didn’t work! Service Protector reported that the service was functioning fine — even when the browser said otherwise.

After investigating, we figured out what was going wrong. IIS wasn’t refusing to serve web pages. It was returning the data just fine — but it was taking over 5 minutes to do so!

When IIS takes so long to respond, the browser gives up waiting and displays an error. That’s what the users were seeing.

But Service Protector would wait patiently for IIS to respond and declare the lengthy process a success. That’s why it wasn’t restarting IIS.

We introduced the new timeout option to fix the mismatch. You set the value (in seconds) right below the URL:

Set a timeout for the web server sanity check

Once the customer configured a 30-second timeout, Service Protector was able to detect the sluggishness and promptly restarted IIS. Problem solved!

Easily test if your Windows Service has open TCP/IP network connections

You couldn’t easily test the TCP/IP network connections sanity check in previous version of Service Protector. Because of that, the Check now button was disabled.

Service Protector 10 activates the feature, allowing you to verify the selected service on demand:

Check network connections for your Windows Service

You may find that helpful as you decide how to deploy the sanity check in your environment.

For example, here are the results of checking the Print Spooler Windows Service on our machine:

Print Spooler service network connections

You can see that the Spooler service has an open listening TCP/IP connection, as expected.

Other fixes & improvements

  • To help with troubleshooting, Service Protector now shows the HTTP response and/or headers when manually running the web server sanity check. That way you’ll know exactly what is coming back from your web server, and you can configure the sanity check accordingly.

    For example, here’s what Service Protector returned when checking our company website:

    Service Protector shows the HTTP response

    You can copy the text to the clipboard and make sure that the response is exactly as you expect.

  • Based on feedback from our customers, the web server sanity check now treats HTTP status codes 1XX and 3XX as success. Only status codes 4XX and 5XX are treated as errors that will restart your service.

  • We enlarged the text and icons on the taskbar tray menu, to improve readability:

    The taskbar menu entries are easier to read

As usual, please review the release notes for the full list of features, fixes and improvements included in Service Protector version 10.0.

Upgrading to Service Protector 10

If you purchased Service Protector version 9 (after April 2023), you can upgrade to version 10 for free. Simply download and install over your existing installation to preserve your existing services and all settings. That way, your registration code will continue to work.

If you bought Service Protector 8 or earlier (before April 2023), you will need to upgrade to use version 10.

Please buy upgrades here — at a 50% discount.

See the complete upgrade policy for more details.

Enjoy!

Posted in Service Protector | Tagged , , , , , | Leave a comment

Is it Safe to Automatically Log In to my Computer?

Is it Safe to Automatically Log In to my Windows Computer?

What is automatic logon? Why would I use it?

Automatic logon — also known as an auto logon — is feature where Windows automatically signs you in at boot. It’s largely viewed as a convenience, but it can improve the uptime of your important applications as well.

To understand why you may want to setup auto logon, let’s dig into the Windows boot process.

Windows starts your programs only after you log in

When you turn on your computer, Windows:

  1. Initializes itself and its devices (keyboard, mouse, etc.);

  2. Starts important Windows Services (to support networking, security, and other key functionality);

  3. Displays a login screen and waits for you to enter your user name and password:

    Windows 11 login screen

That’s it. If you never log on, nothing else happens. Most significantly, Windows doesn’t start any of your programs.

Why might that be a problem?

If you’ve got software that should be running all the time, the Windows boot process presents a complication.

To illustrate, suppose you’ve got a media sharing program running on your desktop. It’s serving your catalog of movies to the other devices on your home network. At this point, the software is working well and your kids are happily streaming content to their tablets.

Suddenly, a power fluctuation causes your PC to shut off. But not to worry — the power soon resumes and your computer comes back to life after a brief interruption.

However, even though your PC restarted automatically, it will be stuck at the login screen, waiting for you to sign in. Your media sharing program won’t start and your family won’t be able to access your catalog of movies. Bummer!

Automatic logon enables your programs to start at boot

With auto logon enabled, Windows behaves differently at boot. Instead, Windows:

  1. Initializes itself and its devices (keyboard, mouse, etc.);

  2. Starts important Windows Services (to support networking, security, and other key functionality);

  3. Automatically signs you into your account;

  4. Loads your desktop and launches all programs set to start at sign-in.

As a result, when you walk up to your PC, you don’t see a login screen. Instead, you see your desktop — with all your startup programs running.

The effect is that all your programs set to start at sign-in (i.e. the ones in your “startup folder”) will run whenever your computer boots.

Automatic logon can save time too

In certain environments, it can be an annoyance having to log in each time your computer restarts. If you’re the only person with an account and no one else has access, why not save a few seconds by automatically loading your desktop and starting your favorite programs? That way, your PC is always ready to go when you show up.


How do I enable auto logon?

Auto logon is governed by a set of values in the Windows registry. Because of that, you can turn on automatic logon in one of three ways:

  1. Run “regedit” and manually update the Windows registry. You’ll add three new values:
    Set auto-logon registry values with Regedit

    However, that method is discouraged because you record your password in plain text in the registry (see the screenshot above). Anyone with access to the registry can see your password.

  2. Run the netplwiz command. In the User Accounts window that pops up, uncheck the Users must enter a user name and password to use this computer option, click OK and follow the prompts:
    Use netplwiz to setup auto logon

    If you don’t see the checkbox at the top, you may have to restore it first.

    From a security perspective, netplwiz stores your password encrypted in the Local Security Authority (LSA) subsystem. That’s better than storing your password in plain text, but it’s not foolproof either. More on that later when we discuss security risks.

  3. Download and run Microsoft’s free Autologon utility. Its interface is straightforward and to the point:
    Use Autologon to automatically sign in at boot

    Note that Autologon also stores your password encrypted in the LSA system so it’s no more or less secure than using “netplwiz”.

We recommend using Microsoft’s Autologon tool. It’s safer than manually hacking the registry and it’s easier to use than “netplwiz”. Furthermore, Autologon works the same way on all versions of Windows.


When is automatic logon a security risk?

Auto logon raises security concerns in a couple of areas.

Risk #1: Anyone with physical access to your PC can use it

The first risk is easy to imagine.

Under normal circumstances, your PC boots up to the login screen. Anyone wanting to use the computer must authenticate — usually by providing a user name and password.

But with automatic logon, that authentication step is removed. Once Windows signs in to the designated account and loads the desktop, anyone who walks up to the computer has full access to the device.

That may not be an issue in a private, home environment but it could lead to disaster in a public setting. Someone with malicious intent could cause a lot of trouble.

Risk #2: An administrator can obtain your password

This second risk is more technical.

If you enabled auto logon by editing the registry, your password is trivially available to anyone who can run regedit. So don’t so that! At minimum, you should use one of the methods that encrypts your password. Again, Microsoft Autologon gets our vote.

Unfortunately though, the password encryption doesn’t provide as much protection as it should.

Recall that your encrypted password is managed by the Local Security Authority (LSA) subsystem. The LSA stores its sensitive information — LSA secrets — in a protected area of the registry. That protection is better than nothing, but the reality is that anyone with administrator level access can read the encrypted LSA secrets.

But as it turns out, LSA secrets aren’t very secret. You may be amazed to learn that free tools like Nirsoft’s LSASecretsView can crack the encrypted passwords in a matter of seconds!

The upshot is that if you setup auto logon, it’s possible for an administrator to discover the password to your account.


What can I do to mitigate the risks and make auto logon safe?

Here are a five tips to improve security and reduce the risks associated with automatic logon.

Tip #1: If the computer has a physical console, lock the screen after logon

Here, the idea is to quickly put up the login screen after the auto logon has occurred. If that’s done, no one walking up the computer will have access without first signing in.

To implement that solution:

  1. Create a new batch file and add this line:

    rundll32.exe user32.dll,LockWorkStation

    When run, that command locks your screen. You will have to log in to use your computer. Run it now and see!

  2. Place a shortcut to the batch file in your startup folder, so that it starts whenever you sign in.

    Add the lock-screen batch file to your startup folder

With that new startup batch file in place, Windows will automatically log you in and lock the screen soon afterwards. Your computer will once again be protected from unauthorized users.

Note however — there may be a short period where your computer is unprotected. That’s because it may take a few seconds for Windows to run the batch file that locks the screen.

In our experiments, we noticed between 5 and 30 seconds where the desktop was visible and unlocked. For much of that time though, the computer wasn’t usable as Windows was busy preparing the desktop. The period of accessibility was quite small.

Tip #2: Even better, only activate auto logon when there isn’t a physical console

Of course, the problems of unauthorized access to the physical console go away if there isn’t one!

That makes auto logon safer if you’re operating a virtual machine. In that situation, you don’t have to worry about anyone using your computer without having to authenticate first (via RDP or some other remote access technology).

Tip #3: Only setup auto logon for a local account — avoid using a domain account

As described in risk #2, it’s possible for an administrator to discover your password when auto logon is enabled. That’s a significant weakness that should not be ignored.

However, the vulnerability is diminished if the auto-logon user has local access only.

If that’s the case, even if a malicious administrator discovers the password, that doesn’t open any new attack surfaces for the device. After all, the attacker is an already an administrator — who has full access to the machine. Giving him control of a local account doesn’t add much.

However, it may be a big problem if the auto-logon user is a domain account — with access to other computers. Cracking the password could have serious ramifications because it would allow the attacker to sign in to other devices on your network. Please do your best to avoid that predicament by limiting the scope of the auto-logon user.

Tip #4: Set a unique password for the auto-logon account

In conjunction with limiting auto logon to a local user only, be sure to specify a unique password for the account. That way, if the password is cracked, it cannot be used to infiltrate another system.

Yes — this is simply good, common sense password hygiene that we should practice in all situations. Nevertheless, we call it out here for emphasis.

Tip #5: Don’t enable auto logon on your portable device

You should never bypass the login screen on your laptop or portable device. What if it gets stolen? If so, the lucky thief would have easy access to all your files, emails, contacts and other precious data. Just don’t do it.


What are the alternatives to automatically logging in to my computer?

If your objective is to start one or more applications automatically when your computer boots, there are a couple of alternatives to auto logon.

Alternative #1: Run your important applications 24/7 as Windows Services

The Windows Services architecture is Microsoft’s premier solution for software that must run all the time. As a Windows Service, your application will start at boot — before anyone logs on — and run continuously in the background.

There are two ways for you to leverage the Windows Services infrastructure:

  1. Convert your application to a native Windows Service. This involves updating the application’s code to integrate it with the Windows Services Control Manager (SCM).

    Unfortunately, that can be an expensive and complex undertaking. Indeed, if you’re not a programmer (or don’t have access to programming resources) it may not be a viable option for you.

  2. Employ a “service wrapper” to run your application in the context of a Windows Service. You won’t have to update your application’s code or do anything like that. Simply provide your application to the wrapper and the wrapper will take care of the rest.

    For example, our AlwaysUp program is a service wrapper that will start any application at boot and keep it running 24/7/365, even in the face of crashes, hangs and other interruptions. For your convenience, AlwaysUp comes with a free 30-day trial — so that you can make sure it works well for you before you spend any money.

    AlwaysUp runs any application (program, exe, script, java) as a Windows Service | Free Trial!

Alternative #2: Launch programs with Task Scheduler

You can also start a program at boot using the Windows Task Scheduler.

Even though a scheduled task isn’t as robust as a Windows Service — you can read about the differences when compared to AlwaysUp, if you’re curious — the Task Scheduler can cover basic situations.

To setup a task to launch your program at boot, open the Task Scheduler (“schtasks.exe”), click the Create Basic Task link on the right and follow the self-explanatory prompts.

Create a basic task with the Task Scheduler

Questions or concerns about auto logon? Let us know

Hopefully you now have a better understanding of how automatic logon works. On the other hand, if you have any questions that were not covered, please don’t hesitate to get in touch. Our experienced technical team will try to help.

Stay safe out there!

Posted in Windows | Tagged , , , , , | Leave a comment

ServiceTray 5.1: Improvements to Help you Control any Windows Service from a Taskbar Icon

ServiceTray 5.1: Improvements to Help you Control any Windows Service from a Taskbar Icon

ServiceTray 5.1 is out!

This release includes several enhancements requested by folks using the software to control their Windows Services. Here’s a quick rundown of what’s new:

You’ve got three more taskbar icons to choose from

One of the most common requests was for more taskbar icons. To fulfill that need, we added 3 more, bringing the total available to 9.

You can see the new icons in this screenshot:

3 new taskbar icons are available

You can choose a different icon for each state of the service

Previous versions of ServiceTray displayed a single icon on the taskbar. The color of the icon would indicate the state of the service — green for running, red for stopped and yellow for anything else.

That visual system works well for most folks but relying on color as the differentiator falls short if you’re color blind. Indeed, if you’re one of the 300 million affected, you may not be able to tell when your service is running and when it has stopped!

To address our oversight, ServiceTray 5.1 allows you choose different icons/shapes for the states of the service. When creating a shortcut, just click the Customize button and select the icons you want to see:

Select an icon for each service state

After clicking OK, you’ll see your choices on the main window:

Multiple taskbar icons chosen

Note that you can click the Reset link to clear your selection or click the Customize button to change them.

You can easily see CPU usage, uptime, and other service information

Want to see how your service is doing? ServiceTray can help there too.

Select Service Information from the menu:

DbxSvc tray icon: Select Service Information

The Service Information window will come up to show you:

  • The process identifier (PID) of the application launched by the service;

  • How much CPU the service is consuming;

  • The service’s memory footprint;

  • The time when the service started;

  • How long the service has been running (uptime).

For example, here’s what ServiceTray tells us about the Dropbox Service (DbxSvc) running on our test server:

DbxSvc Service Information

Other fixes & improvements

  • For improved clarity, the name of the Windows Service is mentioned in the tray menu entries. That’s helpful when you’ve installed multiple ServiceTray icons on the taskbar.

  • If the service is not installed when ServiceTray starts, ServiceTray will report the problem and exit. If someone uninstalls the service while ServiceTray is running, ServiceTray will show the yellow icon and no service operations will be available.

  • We enlarged the text and icons on the taskbar tray menu, to improve readability. You may not need your glasses anymore. 🙂

As usual, please review the release notes for the full list of features, fixes and improvements included in ServiceTray version 5.1.

Enjoy!

Posted in ServiceTray | Tagged , , , | Leave a comment

AlwaysUp Feature Spotlight: Run your App Without Admin Rights

Run your App Without Admin Rights

Why should I run my application without admin rights?

A Windows Service typically runs in an account with extensive/elevated rights. In fact, most services run as LocalSystem — a built-in account with near total control of the computer.

But that power isn’t granted lightly. It’s actually given out of necessity.

The reality is that a service often requires broad access to your computer to tackle its complex tasks — like interrogating the network, terminating rogue processes or checking RAM levels. Unfortunately, working in a normal, non-admin context won’t cut it.

But even though it’s needed, there are serious risks when operating with so much latitude. That’s because awful things can happen if a fully-empowered service is compromised or becomes infected with malware!

Running applications without admin rights is safer

As reported by SoftPedia in 2015, almost all of the vulnerabilities detected in Windows could have been avoided by removing administrator rights from the programs involved:

Critical vulnerabilities involving admin rights

That is, running programs without administrator rights substantially reduces risk and makes your PC much safer to use.


How do I make AlwaysUp start my application with basic rights only?

It’s easy to make AlwaysUp launch your program with normal, unelevated rights. To do so:

  1. Edit your application in AlwaysUp (select Application > Edit/View from the menu.

  2. Move to the Logon tab.

  3. Check the Launch the application without admin rights box:

    Launch your app without admin rights
  4. Save your changes.

The next time your AlwaysUp service starts, it will launch your application with basic rights only.


What are your best tips for running my application without admin rights?

Tip #1: Test thoroughly

Are you sure that your application works properly without administrative rights? Unfortunately, not all applications do.

Be sure to test all functionality and confirm.

For example, can your application still read and write to the file system? Or will it fail because it cannot communicate with another program running in a different security context?

Tip #2: Examine your application’s security groups with Process Explorer

If you want to inspect your application’s permissions, you can open your app in Process Explorer and review the Security tab.

For example, here’s OneDrive running without admin rights. You can see that:

  1. The integrity level is Medium, indicating that the process isn’t elevated;

  2. The user has been denied access to well-known administrative groups, like “Administrators” and “Power Users”:

    OneDrive running without admin rights

Also, many of the low-level privileges are disabled.


Posted in AlwaysUp | Tagged , , , , | Leave a comment

Q&A: How do I make AlwaysUp run my Batch File as a Windows Service?

How do I make AlwaysUp run my Batch File as a Windows Service?
  We purchased AlwaysUp to run a batch file that runs a web front end for a database. But when we plug it in it doesn’t work. AlwaysUp tries to run the script but gives up after five tries.

The script contains a couple of commands:

cd "C:\Program Files\Simtec Viewer"
start /max simtecw.exe

Is there a way to get it to run constantly, as a service?

— Roy W.

Hi Roy, thanks purchasing AlwaysUp. We really appreciate your support!

Thanks also for including the batch file in your support request. Because of that, we were able to spot exactly what’s going wrong for you.

Let’s dig into the problem and highlight the solution.

The problem: The “start” command doesn’t wait for your application to finish

AlwaysUp has trouble because of how the batch file launches your executable — with the Windows start command.

Most importantly, the start command is non-blocking. That is, after it launches your application, it exits. It doesn’t wait for your application to complete its work and close.

With that understanding of the start command in place, here’s how things play out when you start your batch file entry in AlwaysUp:

  1. Your AlwaysUp Windows Service starts

  2. AlwaysUp launches your batch file

  3. The batch file executes

  4. The batch file runs the “cd” command, which changes the working directory to “C:\Program Files\Simtec Viewer”.

  5. The batch file runs “start /max simtecw.exe”

  6. The start command launches “simtecw.exe”

  7. The start command exits

  8. The batch file exits

  9. AlwaysUp detects that the batch file has exited

  10. AlwaysUp restarts the batch file (as configured on the Restart tab)

  11. Repeat the cycle, starting at step 3

After five attempts, AlwaysUp gives up at step 10 and shuts down the Windows Service. Your run ends in failure — all the time.

Fortunately the fix is very simple. You just need to add 6 characters to your script to make it work as desired with AlwaysUp. 🙂

The solution: Make the “start” command wait for your application to finish

The key is to get the start command to block while your main executable is running. That way the script won’t exit immediately and AlwaysUp won’t try to restart it again and again.

To get the start command to block, simply add the /wait parameter to the command line, like this:

start /max /wait simtecw.exe

And with that adjustment, a healthier pattern should unfold when you start the batch file in AlwaysUp:

  1. Your AlwaysUp Windows Service starts

  2. AlwaysUp launches your batch file

  3. The batch file executes

  4. The batch file runs the “cd” command runs which changes the working directory to “C:\Program Files\Simtec Viewer”.

  5. The batch file runs “start /max /wait simtecw.exe”

  6. The start command launches “simtecw.exe”

  7. The start command blocks waiting for “simtecw.exe” to exit

  8. “simtecw.exe” exits

  9. The start command exits

  10. The batch file exits

  11. AlwaysUp detects that the batch file has exited

  12. AlwaysUp restarts the batch file (as configured on the Restart tab)

  13. Go to step 3

The end result is that AlwaysUp will run your executable 24/7, quickly restarting it if it crashes or stops for any reason.

And you’ll be able to rest assured, knowing that AlwaysUp is on the case!

Posted in AlwaysUp | Tagged , , , | Leave a comment