Guest Will Posted March 3, 2008 Posted March 3, 2008 On a Windows 2003 server, I am logged in as an ordinary user and am trying to execute an Intuit application. I am getting an immediate failure when trying to start the application from its program group in the form of a modal dialog that says: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Normally I am very good at debugging through security problems on file ACLs. In this case though I am perplexed. The eventviewer has failures for the 560 open attempt on the executable that is as follows: Object Open: Object Server: Security Object Type: File Object Name: C:\Program Files\Quicken Legal Business Pro 2008\qlb.exe Handle ID: - Operation ID: {0,1688114} Process ID: 3796 Image File Name: C:\WINDOWS\explorer.exe Primary User Name: myordinaryuseraccount Primary Domain: MYDOM Primary Logon ID: (0x0,0x15CE70) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x120089 My ordinary user account has these permissions selected by indirect access give to Users group of: Execute File Read Data Read Attributes Read Extended Attributes Write Attributes So why is the application refusing to start up? And why is Eventviewer logging a 560 event code failure on the executable above when I have all of the listed permissions required? Note I get the above failure even if I give the local Users group FULL CONTROL access to the applications subtree! -- Will
Guest Will Posted March 3, 2008 Posted March 3, 2008 Re: Cannot Start Executable I solved this problem by using the Standard User Analyzer application in the Microsoft Application Compatibility Toolkit 5.0. I don't understand why, but the security log messages in eventviewer were wrong and left out all of the important facts. The real problem was a failure to create two temporary files in the program folder. So why isn't eventviewer recording that failure to create those specific files instead of this very generic message shown below?! I solved the problem by giving the Users group an additional create file permission in just the root folder of the application's installed program folder, and adding Full Control permission for CREATOR OWNER. It looks like Standard User Analyzer is going to become one of my best references for these problems, and it looks like EventViewer is not giving very good information and needs some work. -- Will "Will" <westes-usc@noemail.nospam> wrote in message news:P_6dnWfAwZaJ8FbanZ2dnUVZ_tuonZ2d@giganews.com... > On a Windows 2003 server, I am logged in as an ordinary user and am trying > to execute an Intuit application. I am getting an immediate failure > when trying to start the application from its program group in the form of > a modal dialog that says: > > "Windows cannot access the specified device, path, or file. You may > not have the appropriate permissions to access the item." > > Normally I am very good at debugging through security problems on file > ACLs. In this case though I am perplexed. The eventviewer has failures > for the 560 open attempt on the executable that is as follows: > > Object Open: > Object Server: Security > Object Type: File > Object Name: C:\Program Files\Quicken Legal Business Pro 2008\qlb.exe > Handle ID: - > Operation ID: {0,1688114} > Process ID: 3796 > Image File Name: C:\WINDOWS\explorer.exe > Primary User Name: myordinaryuseraccount > Primary Domain: MYDOM > Primary Logon ID: (0x0,0x15CE70) > Client User Name: - > Client Domain: - > Client Logon ID: - > Accesses: READ_CONTROL > SYNCHRONIZE > ReadData (or ListDirectory) > ReadEA > ReadAttributes > > Privileges: - > Restricted Sid Count: 0 > Access Mask: 0x120089 > > > My ordinary user account has these permissions selected by indirect access > give to Users group of: > > Execute File > Read Data > Read Attributes > Read Extended Attributes > Write Attributes > > So why is the application refusing to start up? And why is Eventviewer > logging a 560 event code failure on the executable above when I have all > of the listed permissions required? > > Note I get the above failure even if I give the local Users group FULL > CONTROL access to the applications subtree! > > -- > Will
Recommended Posts