netsh http add urlacl problem

Asked 14/1, 2011 at 14:50 Answered 15/9, 2011 at 15:15

I'm trying to set up some ports from a WIX installer. For WinXP we use httpcfg in a custom action and this works fine. For Win7, we're trying:

netsh http add urlacl url=http://127.0.0.1/8346/ user="NT AUTHORITY\Authenticated Users" sddl="D:(A;;GX;;;AU)"

The WIX installer correctly executes this statement and sets up the ports - FOR THE ADMINISTRATOR who runs the .msi. Users with lesser priviliges cannot access these ports. I need to set it up for all users on the machine, but I've tried about everything I can think of with no luck.

Something I find odd is that the Admin user can see the assigned ports using netstat -a, but they do not appear at all using netsh http show urlacl...is that an indicator of something wrong?

Irreproachable answered 14/1, 2011 at 14:50 Comment(3)

Why are you using both parameters user and sddl? IMHO only one of them is required/useful. – Languishment 28/5, 2015 at 13:59

user="NT AUTHORITY\Authenticated Users" is to add the rigth only for this user.... if you whant to autorise for your user you must specify this user on a group of user that incluse this user. or not specifying this option, and only the sddl option. personnaly i use sddl "D:(A;;GX;;;IU)" for user interactive. learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings – Derbent 30/8, 2021 at 18:3

you can use WD (SDDL_EVERYONE, Interactively logged or not) in place of IU (SDDL_INTERACTIVE= Interactively logged-on user) for everyone. learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings – Derbent 30/8, 2021 at 18:15

If 8346 is your port number you syntax is incorrect it should be.

netsh http add urlacl url=http://127.0.0.1:8346/ user="NT AUTHORITY\Authenticated Users"

Buggery answered 15/9, 2011 at 15:15 Comment(2)

While the answer is a true statement fixing the typo, I don't see how it answers the question. You could have used a comment for this info. – Superstratum 25/9, 2013 at 17:46

If you want it to be a bit neater you could use the plus sign to avoid having to enter any address, it's a shortcut for any IP or name which resolves to the local machine, i.e. "http://+:8346/". – Shote 27/6, 2014 at 11:1

You can add condition to the setup file to prompt for UAC when installation starts. this will ensure all the installer is started by admin and thus will add exception in firewall even when user does not have admin rights.

Carlyn answered 20/1, 2011 at 17:3 Comment(2)

This doesn't seem to answer the question even it's probably correct. Also, there are no specifics in this answer. – Superstratum 25/9, 2013 at 17:46

You will need to use the newer versions of WIX which support bootstrapper (Setup.exe) to properly launch as administrator. Else it will only work when launched via MSIEXEC from an administrator command/process. Bootstapper is the only way to guarantee you are running as admin even when Setup.exe is double-clicked from the shell. It is also common to add a launch condition to explain to the user/admin log why it failed rather than some strange failure message, e.g. when double-clicking MSI/without setup.exe bootstrapper. You can't "prompt for UAC", only the system via another process/setup.exe. – Shote 27/6, 2014 at 9:11

Recommended topics

Hot tags