RCC action "A required privilege is not held by the cli

[James65]

Good day,

We have downloaded latest version 14.28 for evaluation. Everything runs fine, except action "Execute external program" when running host monitor as a service and connecting using RCC. In HM system log we can see following error:

"A required privilege is not held by the client"

We setup as follows:
- Hostmon is started as service using local system
- In hostmon "Options / Startup / Service" we set a local admin account
- When we start the service we can see that account is used for login in application eventlog
- We added the service account in "Replace process level token"
- We set "Change User Account Control settings" to Never notify
- In the action for "Execute External program" we have enabled "run in active console session (if HM started as service)

We tested on Windows 10 and Windows Server 2022. Are there anymore requirements with latest Windows Updates?

Thanks for any suggestions.

Best regards
Michael

[KS-Soft]

Works fine on our Windows 2022 systems.
Could you try to set local admin account for HostMonitor service using Windows Services applet?

Its not related to RCC in any way. Tests and actions performed by HostMonitor, RCC just provides remote interface.

Regards
Alex

[James65]

Hi Alex,
Thank you. We have created a new local user hostmon. This user is added to the local administrator group and set in Windows Services applet as well as in HM Options service account. Now we get a different error. On executing any external program the HM system log shows "Cannot execute command: Access is denied". The external command we use is just a simple msg command and it works fine when using HM without started as service. So it looks like something more is missing. Do you have any further suggestions to check?

Thanks.

Best regards
Michael

[KS-Soft]

I think simple msg command is not that simple.
E.g. sometimes it would not start if you use path like C:\WINDOWS\System32\msg.exe while just "msg.exe" will launch program (problem relates to C:\Windows\Sysnative\ folder).
Also it uses remote RPC calls and I think gets data from AD..

If you really need msg.exe, try to modify registry:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Name : AllowRemoteRPC
Type : REG_DWORD
Value : 1

If you are using msg.exe just for testing, I would suggest to use some other command

Regards
Alex

[James65]

Thanks again. AllowRemoteRPC was already set. It doesn't matter what command we are using, e.g. c:\batch\test.cmd, iisreset, dir >1.txt, etc... Everything returns access denied. "Execute by" is always set to "Hostmonitor".
We have also tried using a domain admin account with same result.
Do you have another example how to launch an external program?

[KS-Soft]

It should work out of the box on "stock" Windows (with "Replace process level token"), works on all our systems. I assume some local policy leads to the problem.
We will try to find some information

Regards
Alex

[James65]

Thanks Alex. I also think so. Just notice 2 things:
- when using the built-in administrator account we get again "A required privilege is not held by the client" even the account is added in ""Replace process level token"
- when we disable "User Account Control: Run all administrators in Admin Approval Mode" and reboot we get again "A required privilege is not held by the client" for both local admin accounts.

I will also try to check with a new OS installation and no domain join.

[James65]

Hi Alex,
I created a new Windows Server 2022, only installed HM and run into the same issue. The solution as to DISABLE "run in active console session (if HM started as service)" in action. Now it works.
Thanks again for your assistance.

Best regards
Michael

[KS-Soft]

Oh, my mistake
You said you are using this option in your 1st post and I missed this.

Yes, by default and normally it should be disabled. When it is enabled HostMonitor tries to start program using current user credentials. And this requires some extra permissions when system belongs to domain..

Regards
Alex