A customer looking to run OneDrive as a Windows Service with AlwaysUp recently contacted our support team for help. Even though he had diligently followed our step-by-step tutorial, his files were not being synchronized as intended. OneDrive refused to refused to work as a service!
After confirming that his files were not being copied, our support team launched OneDrive “in this session” — to see the normal tray icon and check if an error was being reported. We were greeted by this puzzling error message:
So it seems that OneDrive doesn’t like to be run with admin rights. And the customer’s account was a member of the Administrators group — which is recommended for smooth operation as a Windows Service with AlwaysUp.
UAC enables an administrator to run OneDrive normally
But why does OneDrive work at all in the customer’s admin account? Why doesn’t the software complain when he starts OneDrive normally on his desktop?
The answer lies with Microsoft’s User Account Control (UAC) security feature. By default, applications started interactively are run with lower, non-admin privileges. This happens for all accounts — even for administrators. OneDrive seems to require that lower privilege context to do its work. Indeed, in this OneDrive desktop FAQ, Microsoft confirms that UAC is what enables OneDrive to be started by an administrator. If we removed UAC from the equation (by by right-clicking on OneDrive.exe and selecting “Run as administrator”) we were able to reproduce the error straightaway.
But while UAC restricts rights for the desktop user, UAC is not in play when running in the context of a windows service. Services are always run with the highest privileges. We must find a way for our customer to start OneDrive with reduced rights to avoid the error.
How to launch OneDrive with reduced rights from AlwaysUp
Our new Run with Restricted Rights command-line utility comes to the rescue. Here are the steps we performed to get the customer up and running:
where [USER-NAME] is the name of your Windows account.
Save your settings.
With this new setup, AlwaysUp will start RunWithRestrictedRights.exe, which will launch OneDrive with diminished permissions. You should not see the “full administrator rights” error anymore.
Note that we plan to add the capability to run an application with diminished rights directly from AlwaysUp. That feature will probably included in AlwaysUp version 10.3, which should released to all customers in September/October.
AlwaysUp is designed to run OneDrive all the time — starting it when your PC boots and keeping synchronization going 24×7 despite failures or other unexpected interruptions. You don’t even need to log on!
But to gain those benefits, AlwaysUp must launch OneDrive in the background as a Windows Service. In that situation, described in our tutorial showing how to setup OneDrive as a Windows Service, OneDrive’s usual “cloud” icon won’t appear on your taskbar. You won’t see the informative icon overlays beside the files and folders being synchronized either. And without those visual elements, how do you know that your important files and folders are being copied to and from the cloud?
Perform this easy 4-step test to prove that your files are protected:
Start OneDrive in AlwaysUp
From AlwaysUp, select “Start OneDrive” from the “Application” menu:
Your service should transition to Running after a few seconds. Clicking on the green circle should reveal details of the running process:
OneDrive can take a while to initialize itself — especially if it has a long list of files and folders to synchronize. This is a good opportunity for you to:
Respond to that annoying email you’ve been trying to forget.
OneDrive should be ready and waiting when you return.
Create a new file in your OneDrive folder
Open your OneDrive folder in Windows Explorer. Right-click in the files area (on the right), select New > Text Document and give the file a suitable name:
We called our file “TestSync.txt”:
Login to OneDrive online and confirm that the new file is there
Sign in to your OneDrive account and browse to your files. The new text file should be listed, as it was for us:
If you don’t see the new file, do a few more stretches and try again. Sometimes OneDrive can be a bit slow…
What should I do if my file didn’t show up?
If your new file wasn’t listed online, something is definitely wrong with your setup. We’re here to help! Please get in touch so that we can get you going ASAP.
Last month we released a new version of our popular run-anything-as-a-windows-service software, AlwaysUp. Everything was going smoothly — until we encountered a very alarming situation while testing the new software on Windows 10!
After downloading the new AlwaysUp installation executable with Microsoft Edge, the browser asserted that “AlwaysUp_Installer.exe is not commonly downloaded and may harm your computer”. WHAT??
Clicking the Actions button gave us the option to “Run Anyway”, and the installation completed without further incident, but the whole experience left our team worried and full of questions. Specifically:
Why did this suddenly start happening?
How will our customers react to Microsoft’s unfounded suspicions?
And most importantly, how do we get rid of the chilling warnings?
SmartScreen Complains because our Software is “New”
Apparently we’re not the only developers tormented by SmartScreen. Warnings are common, especially for small software companies like ours. The “Criticism” section of the Wikipedia article on SmartScreen Filter says it best:
SmartScreen Filter creates a problem for small software vendors when they distribute an updated version of installation or binary files over the internet. Whenever an updated version is released, SmartScreen responds by stating that the file is not commonly downloaded and can therefore install harmful files on your system.
Only a Few Customers are Blocked by SmartScreen Filter
To date, only one customer has asked about SmartScreen’s warning. We had expected hundreds! Fortunately there are a few reasons why many customers aren’t being tripped up by Microsoft’s overly cautious approach:
Our products are digitally signed for security and authenticity. SmartScreen takes this as a positive sign and is likely to avoid prompting all customers all the time.
Prior to Windows 8, SmartScreen Filter was a part of Internet Explorer. Thus customers using Chrome or Firefox on Windows 7 and Server 2008 will never encounter SmartScreen warnings.
After testing downloads on Windows 8, 10 and Windows Server 2012 and 2016, we only received warnings on Windows 10 with Edge.
So it seems that SmartScreen warnings are largely limited to customers using Internet Explorer or Edge. Metrics gathered from our website (via the incredibly useful StatCounter) tell us that only about 11% of all visitors are using those browsers:
Time (and Good Behavior) will Disarm SmartScreen Filter
We hoped for a simple solution: Inform Microsoft that our software is 100% safe and they would promptly update their SmartScreen database to remove all warnings. All would be right with the world. But SmartScreen doesn’t work like that.
SmartScreen is reputation based. Each time someone downloads our software package and declares that it is safe to install, that executable gains some positive reputation. Once enough people have successfully installed and the accumulated reputation crosses some magic threshold, the warnings disappear. Only an established track record of doing no harm will halt the SmartScreen dogs.
Indeed, after a couple of weeks the warnings for AlwaysUp version 10 seems to have gone away:
A new command line switch to grant the service user access to the current desktop was introduced.
When stopping a group of services, an alert is no longer shown when a long-lived service exceeds the 1-minute time limit.
If necessary, the service account is now granted full access to the window station and desktop objects when starting in the current session.
As usual, please review the version history for the full list of features, fixes and improvements included in this release.
Upgrading to AlwaysUp Version 10
As per our upgrade policy, customers who purchased AlwaysUp 9 (after September 2014) can upgrade to version 10 at no additional cost. Just download and install “over the top” to preserve your existing applications an all settings. Your registration code will continue to work.
Automatic software updates are usually very welcome. You get bug fixes, security enhancements and the latest and greatest features, all without lifting a finger!
But automatic updates have a dark side as well. What happens if an update, which usually involves shutting down the software, takes place at a “bad” time and interrupts the application when it is busy with an important task? Or worse — what if a newly updated version introduces a defect that causes the software to fail in the wee hours of the morning when no one is there to fix it? The potential for problems like these should give anyone operating a 24×7 environment serious pause when weighing the pros and cons of automatic updates!
Such is the dilemma facing our customers running OneDrive 24×7 as a Windows Service with AlwaysUp. As seen in the screenshot of the OneDrive installation procedure above, OneDrive is free to download and install updates whenever it likes. But perhaps we can do something about that…
OneDrive is Auto Updated by a Scheduled Task
A little detective work using Microsoft’s excellent autoruns utility led us to realize that OneDrive installs a scheduled task called OneDrive Standalone Update Task v2 to perform its updates. Here it is in the Task Scheduler — configured to run “OneDriveStandaloneUpdater.exe” once daily when the Administrator is logged on:
The task’s history confirms that the update check is indeed firing at a random time each day:
This is how OneDrive updates itself!
Disable the Scheduled Task to Prevent OneDrive Auto Updates
To prevent OneDrive from automatically updating itself, simply disable the scheduled task. Right-click on the entry in the Task Scheduler and select Disable from the context menu to do the trick:
With the task disabled, the auto-update will no longer run and you will be stuck with the version of OneDrive currently installed. Great!
Now please don’t forget to update OneDrive occasionally — to get those important bug fixes, security enhancements and exciting new features. But do so in a safe, controlled environment at a time of your choosing, when you can perform the necessary testing and avoid unwelcome surprises.
May 2024 Update
The current version of OneDrive still installs a scheduled task to automatically update OneDrive. But, as described in the documentation from Microsoft, the OneDrive executable now downloads and installs updates automatically:
The OneDrive sync app checks for available updates every 24 hours when it’s running. If it stops and doesn’t check for updates in more than 24 hours, the sync app checks for updates as soon as it starts.
As a result, disabling the scheduled task will only prevent automatic updates when OneDrive isn’t running.
(888) 881-CORE
The OneDrive sync app checks for available updates every 24 hours when it’s running. If it stops and doesn’t check for updates in more than 24 hours, the sync app checks for updates as soon as it starts.
