diagnostics icon indicating copy to clipboard operation
diagnostics copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Access Denied (5)

Open mjanulaitis opened this issue 1 year ago • 8 comments

I am trying to generate a dump file for a .Net 7 Windows Service running with a service account. When I run a command prompt as an administrator then run the dump command, I get the following error:

dotnet-dump collect -p [PROCESS_ID]
Writing full to c:\Temp\dump_[DATE]_[TIME].dmp
Invalid process id [PROCESS_ID] - Access is denied. (5)

I have verified the process ID is running. I expect the command to successfully generate the dump file.

Configuration

The Windows Service is running as with service account. Microsoft Windows [Version 10.0.14393] .Net SDK v7.0.405 x64

mjanulaitis avatar Jan 15 '24 15:01 mjanulaitis

If your service or app is running as superuser, then you need to run dotnet-dump collect as administrator.

mikem8361 avatar Jan 15 '24 20:01 mikem8361

@mikem8361 Yes, notice in my comment I say "When I run a command prompt as an administrator"

mjanulaitis avatar Jan 16 '24 11:01 mjanulaitis

Sorry I missed that.

mikem8361 avatar Jan 16 '24 17:01 mikem8361

I think the problem might be that running as a service isn't accessible from a administrator command prompt. They are different levels of privilege on Windows.

@hoyosjs do you know for sure?

mikem8361 avatar Jan 16 '24 23:01 mikem8361

Our pipes should be accessible by the LocalSystem account, administrators, and the creator owner (running user). That being said I'm surprised that the administrator account wasn't able to communicate properly. I'd have to check.

hoyosjs avatar Jan 17 '24 02:01 hoyosjs

Our diag pipes are not used on Windows by dotnet-dump. It calls MiniDumpWriteDump directly.

mikem8361 avatar Jan 17 '24 02:01 mikem8361

tl;dr

Solution (workaround): run DEL /S %TEMP%\system-commandline-sentinel-files before dotnet-dump

Details:

I had (have) exactly this problem (error message) with dotnet-dump 8.0.510501+8c08c89a0643d31db91e119b1adb463be3e0ffe5

I called "dotnet-dump collect -p <pid>" from interactive elevated console (cmd.exe) run by an admin user account (member of Administrators). In my case <pid> was the process id of an windows service, too.

Deleting the profile (of my admin user) solved the problem for exactly one next call. I could track this down to a temporary file containing an error message. After deleting this file I could successfully execute dotnet-dump again (works immediately):

"%TEMP%\system-commandline-sentinel-files\dotnet-suggest-registration-dotnet-dump, Version=8.0.10.10501, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

resp.

"%USERPROFILE%\AppData\Local\Temp\system-commandline-sentinel-files\dotnet-suggest-registration-dotnet-dump, Version=8.0.10.10501, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

File contents:

Exception during registration:
System.ComponentModel.Win32Exception (2): An error occurred trying to start process 'dotnet-suggest' with working directory 'C:\Windows\system32'. The system cannot find the file specified.
   at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
   at System.Diagnostics.Process.Start()
   at System.CommandLine.Invocation.Process.StartProcess(String command, String args, String workingDir, Action`1 stdOut, Action`1 stdErr, ValueTuple`2[] environmentVariables)
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__10_1>d.MoveNext()

StefanBertels avatar Mar 15 '24 11:03 StefanBertels

We know how to fix this problem. I'll try to get the fix into the next release of the tooling.

mikem8361 avatar Mar 15 '24 20:03 mikem8361

Fixed in the next tools release which is this week or next.

mikem8361 avatar Jun 06 '24 21:06 mikem8361