Bug 41564 - service.bat does not install tomcat as a service properly on Windows Vista
service.bat does not install tomcat as a service properly on Windows Vista
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Native:Packaging
5.5.20
PC other
: P3 major (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-02-07 19:07 UTC by Andreas Knecht
Modified: 2009-07-18 05:04 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Knecht 2007-02-07 19:07:26 UTC
For our issue see <a
href="http://jira.atlassian.com/browse/JRA-12109">JRA-12109</a>.  

The service.bat file included in Tomcat fails to install Tomcat as a service
properly in Windows Vista. Vista has changed the implementation of services and
the current services.bat does not do an adequate job at installing Tomcat as a
service.

The service gets added to the list of services, but it can't be started, stopped
or removed. (due to service privileges missing)
Comment 1 Yoav Shapira 2007-03-25 09:33:48 UTC
Can you help us out please?  I don't have Windows Vista to develop a patch on.
Comment 2 Rich Zeliff 2007-12-12 08:18:20 UTC
Updating with current information:  this problem still exists with Tomcat 5.5.25
and Tomcat 6.0.14.   

The MSI for each, however, works fine.
Comment 3 Bogdan 2008-07-20 22:32:41 UTC
FYI.
I've just managed to install Tomcat 6.0.16 as a service on Vista Business.

Also, the issue seems to be specific to Vista as Tomcat 5.5 can installed as a service on Windows 2008
Comment 4 Bogdan 2008-07-21 16:56:46 UTC
Vista with User Account Control (UAC) running causes a problem. Vista normally runs everybody ( including administrators ) in a non-administrative mode.
This provides additional security and makes it more difficult for intruders to run programs requiring administrative privileges.

Currently, there are two possible workaround that allow to install the windows service successfully:

The first option - Temporary disable UAC
1. Temporary disable UAC (restart of OS required). It is done from

    * run "msconfig" > tools > disable UAC or
    * Start > Control Panel > User Accounts > Turn User Account Control on or off
1. Install Tomcat.
      3. Enable UAC - as per 2.
      4. Restart OS

The second option - create a bat file and execute it as admin

   1. Create a bat file that installs the service as per http://tomcat.apache.org/tomcat-5.5-doc/windows-service-howto.html
   2. Click right button of mouse and select "Run as administrator"

I've tried to initiate the installer with "Run as administrator", although it failed to install the service.
Comment 5 Bogdan 2008-07-21 17:15:41 UTC
FYI. Microsoft Windows Vista 30-Day Eval VHD - http://www.microsoft.com/downloads/details.aspx?FamilyID=c2c27337-d4d1-4b9b-926d-86493c7da1aa&DisplayLang=en

:D
Comment 6 William A. Rowe Jr. 2009-05-26 11:21:12 UTC
The Microsoft Windows Installer schema for the CustomAction table (used to
run .bat, .exe. .vbs or whatever) has a specific 'Type' bit 2048 to cause
msidbCustomActionTypeNoImpersonate so the step runs at LocalSystem privilege.

http://msdn.microsoft.com/en-us/library/aa368062.aspx
http://msdn.microsoft.com/en-us/library/aa368069(VS.85).aspx

I guess the Tomcat project is using NullSoft so go there to seek wisdom in how
to resolve process elevation, that team should have already solved this puzzle
(or you picked the wrong installer schema).
Comment 7 William A. Rowe Jr. 2009-05-26 12:09:56 UTC
Reviewing further, I see that service.bat is invoked by the user after install,
and not by the nullsoft installer.

Bogdan is correct in comment #4, however it seems more of a documentation issue.
If the user will be modifying the system environment from a command prompt, they
must do so from an admin cmd.exe shell, and there are only two ways to have one;

1. right click on your cmd.exe ("Command Prompt" icon) and choose "Run as
   Administrator".

2. from the shell, invoke

   runas user:administrator "cmd.exe /k"

   which will open a new admin-privileged shell.

There is no way to associate service.bat with elevation via a .manifest or
otherwise.  Only actual .exe's can be associated.  There is a code elevation
model for invoking programs as admin, see the am_RespawnAsUserAdmin() 
implementation within the ApacheMonitor.exe app (which doesn't want to run-as
admin until it is absolutely required, and certainly not hang for a permission
change each time the user logs in!)  
http://svn.apache.org/repos/asf/httpd/httpd/trunk/support/win32/ApacheMonitor.c
Comment 8 Mladen Turk 2009-05-26 23:31:12 UTC
We could modify the service.bat allowing to call the install
using runas directy.
Think I'll add the command option to service.bat so it can
call runas directly from within the batch file.
Comment 9 Mladen Turk 2009-05-27 01:23:42 UTC
Can you check if the current trunk version works?
You will need to call the service.bat with something like:
service install /user Administrator

Note that you will have to edit the service.bat and replace
all instances of '@VERSION_MAJOR@' with '6'. This is done
automatically by ant during build stage, but you will need to
do a 'search/replace' manually.

The file can be found at:
http://svn.apache.org/repos/asf/tomcat/trunk/bin/service.bat

Regards
Comment 10 Mark Thomas 2009-05-27 10:05:02 UTC
I installed vista on a VM to test this and it doesn't appear to work :(

I did some Googling and, without installing some extras (eg power tools) there is no way to get something to run with admin privs from a batch file on Vista. This was with no service packs installed.

Running cmd as administrator and then invoking service.bat did work.
Comment 11 Mladen Turk 2009-05-27 10:23:52 UTC
Mark, did you tried the new service.bat?

service.bat install /user Administrator

will first ask for admin password and then execute the service.bat again
using admin account. It works perfectly on my 2k8 VM.
Comment 12 Mark Thomas 2009-05-27 10:27:43 UTC
Yep. Fails miserably on vista.
Comment 13 Mladen Turk 2009-05-27 10:39:04 UTC
Well, I tested this on Vista/x86 and Server2k8/amd64 and it
works perfectly on both boxes.

Are you sure you've replaced all @VERSION_MAJOR@ and @VERSION@ strings
with 6 and 6-something respectively?
Comment 14 Mark Thomas 2009-05-27 10:43:57 UTC
Yep. I'm working with a build from trunk.

One thing that might be different. Are you testing this as a non-admin user specifying an administrator user?

I am logged in as an administrator and service.bat fails with or without /user...
I do get prompted for the password when I specify /user...
Comment 15 Mark Thomas 2009-05-27 10:51:25 UTC
Nope. That isn't it. just created a non-Admin user to test this, specified my admin user and the service install still failed.
Comment 16 George Sexton 2009-05-27 11:16:03 UTC
I've found that execute from an MSI drops privileges when you run exec commands.

Execute from an EXE does not drop privileges.
Comment 17 Mark Thomas 2009-07-18 04:31:33 UTC
I've got to the bottom of this. UAC was getting in the way.

Without UAC, the new /user switch works.

With UAC, you have to right-click on cmd.exe and select "Run as administrator"

I'll update the docs.
Comment 18 Mark Thomas 2009-07-18 05:04:49 UTC
I've updated the docs for trunk 6.0.x (will be in 6.0.21) and 5.5.x (will be in 5.5.29).