OpenEvent/OpenFileMapping fails with ERROR_ACCESS_DENIED

Question

I'm developing an open source .NET assembly (WinSCP .NET assembly) that spawns a native (C++) application and communicates with it via events and file mapping objects.

The assembly spawns the application using the Process class, with no special settings. The assembly creates few events (using the EventWaitHandle) and file mapping (using the PInvoked CreateFileMapping) and the application "opens" these using the OpenEvent and the OpenFileMapping.

It works fine in most cases. But now I'm having a user that uses the assembly from an ASPX application on Windows Server 2008 R2 64 bit.

In his case both the OpenEvent and the OpenFileMapping return NULL and the GetLastError returns the ERROR_ACCESS_DENIED.

I have tried to improve the assembly code by explicitly granting the current user necessary permissions to the event objects and the application code to require only the really needed access rights (instead of original EVENT_ALL_ACCESS) as per Microsoft Docs example. It didn't help. So I did not even bother to try the same for the file mapping object.

The C# code that creates the event is:

EventWaitHandleSecurity security = new EventWaitHandleSecurity();

string user = Environment.UserDomainName + "\\" + Environment.UserName;

EventWaitHandleAccessRule rule;
rule =
    new EventWaitHandleAccessRule(
        user, EventWaitHandleRights.Synchronize | EventWaitHandleRights.Modify,
        AccessControlType.Allow);
security.AddAccessRule(rule);
rule =
    new EventWaitHandleAccessRule(
        user, EventWaitHandleRights.ChangePermissions, AccessControlType.Deny);
security.AddAccessRule(rule);

new EventWaitHandle(
    false, EventResetMode.AutoReset, name, out createdNew, security);

The C++ code that "opens" the events is:

OpenEvent(EVENT_MODIFY_STATE, false, name);

(For other events the access level is SYNCHRONIZE, depending on needs).

I have also tried to add Global\ prefix to the object names. As expected this didn't solve the problem.

Does anyone have any idea what causes the "access denied" error in OpenEvent (or CreateFileMapping)?

Answer 1

My guess is that the event is created by either the anonymous user or the logged in user depending on how the website is setup. But the sub-process is being launched with the base process user. This can be checked by using process monitor and looking at the acl for the event handle to see who the creator is. Then look at the sub process to see who it is running as.
If this is the case then you can update the acl on the event to include the base process. In addition to this, you may still need to prefix with "global" to make sure that the event can be used across user boundaries.