AdGuardHome Windows edge version [Unknown error: Access is denied. (0x80070005)] #7400
Comments
|
I discovered that the latest edge version modifies the access rights of the entire folder, which is the main cause of this issue. This is the permission for a regular folder. These are the folder permissions after the update is complete. |
|
Yes, it changed everything in the folder. Even I grant access right again,
it did but work. I need to grant access right, delete the whole folder, and
setup the old version again. Luckily, I have backup the yaml file,
otherwise I will have to setup everything from the very beginning.
在 2024年11月3日週日 13:55,観月唯 ***@***.***> 寫道:
… I discovered that the latest edge version modifies the access rights of
the entire folder, which is the main cause of this issue.
—
Reply to this email directly, view it on GitHub
<#7400 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABSG6NBQ7RAC6IABK4YWB43Z6W3D5AVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJTGMYDONRTGI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I found that this issue is significantly related to #7314. Moreover, based on the current folder permissions, the service should not be able to start normally after rebooting because the SYSTEM permissions have been removed. |
|
It happened on my device as well. |
|
@pekkle-hksar, hello and apologies for the delayed response. It's definitely related to the issue @bestpika mentioned, and we've already pushed the new edge release, that should avoid this behavior. Could you please try updating to it? Note that it indeed changes the permissions of the files in the working directory due to security concerns. I strongly recommend that you to backup the directory before updating AdGuard Home. AFAIK, the problem only appears after an update, so I believe it could be fixed by giving full access rights to |
|
@EugeneOne1 The problem still exists, and there is an issue with the permission design.
|
|
When starting service it now says access denied. |
|
@bestpika, how do you install the AdGuard Home service? Are you using PowerShell running with Administrator privileges? If so, could you please show the result of the following command: ([Security.Principal.WindowsPrincipal]
[Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)If not, could you please provide a detailed description of the process? Also, which security identifier corresponds to the "SYSTEM"? If it is listed in this resource? @StoneOfStones, what permissions are assigned to the file |
|
После обновления на v0.107.54 у меня была тоже ошибка с доступом и служба не могла работать и мне пришлось самому по стандарту все учетные записи добавлять и в каждом убирать эти галочки которые на фото. After the update to v0.107.54, I also encountered an access error, and the service could not function. I had to manually add all the accounts according to the standard and uncheck those boxes in each one, as shown in the photo.
|
@EugeneOne1 don't know. I fix it with:
Don't want to update to a new version just to break it again |
Services on a windows system run with SYSTEM permissions, so SYSTEM permissions must be kept |
same as others, it's not working... after updated to the new version, it will be access denied. |
SECURITY_LOCAL_SYSTEM_RID https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers WELL_KNOWN_SID_TYPE enumeration |
|
I have the same problem. It is really frustrating. 😣 |
|
Hello again everyone! Unfortunately we can't reproduce the problem on our test machines. I suspect it's due to differences in the behaviour of different versions of Windows. Could you all please provide some common information:
As a temporary workaround for anyone facing this problem, the @Eyeborgs's comment should prevent any further permission issues. It will generate a security warning in the log on every reboot and update, but that's not critical. |
版本 Windows 11 家庭中文版 我使用 |
|
My OS version is windows server 2025. Even in the latest release, after execute AdGuard Home, the folder permission is reset to "none". I guess, server 2025 has same behavior with Windows 11 24H2 |
|
My temp workaround is to start AdGuardHome with the following batch file instead of starting it as a Windows service. Change both instances of It works by adding a short delay after starting the AdGuardHome executable and then resetting the folder permissions to NTFS defaults. |
|
I'm running Windows 11 canary build + AdGuardHome Edge build.
AGH is running as service.
Using command prompt or terminal or power shell with admin right also got
the same access denied error.
在 2024年11月11日週一 22:43,Eugene ***@***.***> 寫道:
… Hello again everyone! Unfortunately we can't reproduce the problem on our
test machines. I suspect it's due to differences in the behaviour of
different versions of Windows. Could you all please provide some common
information:
- Which version of Windows you are using, e.g. Windows 10 Pro version
22H2 19045.5011 (Windows Feature Experience Pack 1000.19060.1000.0); it's
usually located under *Start* → *Settings* → *System* → *About*.
- How exactly was AdGuard Home installed as a service? Did you use a
custom API (.\AdGuardHome -s install)?
- What command-line tool are you using and what privileges does it
have?
As a temporary workaround for anyone facing this problem, the @Eyeborgs
<https://github.com/Eyeborgs>'s comment
<#7400 (comment)>
should prevent any further permission issues. It will generate a security
warning in the log on every reboot and update, but that's not critical.
—
Reply to this email directly, view it on GitHub
<#7400 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABSG6NC2EWJM3DZM54HGGO32AC7BVAVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRYGM2DIMJWGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Temporary solution until AdGuard stops mocking around with permissions. Edit: This is a nice way of increasing the security too, because AdGuard is no longer running with SYSTEM (lots of permission) instead with normal user permissions. |
|
Same problems, same issues for both Edge & Beta. I'm back using edge/beta version before all this permissions issues happened. Here's the file if anyone interested before the day of all this permissions issues happened. The version on the zip file are this.... |
|
Actually, this is generally not done on Windows. This kind of practice is more suitable for Linux. Therefore, is it possible to disable this permission check on Windows? |
|
This issue currently broke internet connections on all windows machines where I installed AGH as service. |
|
@EugeneOne1 |
100% agree |
|
Also agree with this. |
|
Agree. It's to minimize the problem to current users using the standard
command to install service. New feature that may caused problem would be
better an opt-in feature rather than turn on by default.
在 2024年11月23日週六 02:47,Roman ***@***.***> 寫道:
… @EugeneOne1 <https://github.com/EugeneOne1>
That's certainly good, but I would prefer that permcheck is not applied by
default.
For those who want to use permcheck, they can add the option .\AdGuardHome
-s install --permcheck.
—
Reply to this email directly, view it on GitHub
<#7400 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABSG6NHZ33GGLD2Z65GH6GT2B533PAVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJUGUZDGMRSGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Wow, in stable release, it's happening even when it's not running as service. I just tried the edge biuld, seems fine with |
|
How does one download the edge build? I only see the beta and normal in release/tags? |
|
|
So issues #7439 and #7454 are duplicates of this Issue; I had to fall back to version v0.107.53 from v0.107.54. AdGuard Home is already installed as a service, and updating it manually by replacing the executable and then running the service resulted in AdGuard blocking itself from running because it set only Write permissions to a non-privileged unknown user to its folders (not even myself, as an Admin User, could open the folders because it had permissions which made no actual sense: the yaml file and the data folder had only Write permission, not even Read or Traverse files and folders); I can't update to another stable version until this is fixed because whenever I do that, I have to set AdGuard from scratch. Setting permissions of full control may allow AdGuard to run once, because it'll set its permissions wrong again in the next run. Also, setting all permissions to the right ones (suggested here in this Issue), but leaving the folders "data" and the yaml file with the Write only permissions AdGuard set automatically when it runs (not even read or traverse files and folders), will allow AdGuard to run on startup normally but I believe it'll not be able to read its settings consistently, so that may be the cause of the DNS filtering not working in my other post on Issue #7439. If the folder has all the permissions with Full Control (even data and yamls file), AdGuard will run normally once and then break again. Even the Owner of the folder in the security permissions is Unknown and not Administrator or an Admin User (me). So AdGuard won't be able to be run with PowerShell or cmd. By the way, how would I update to a newer version (but not again v0.107.54) and then not let AdGuard change its permissions? What I understood is that if you install it from scratch as a service, you can do -s install --no-permcheck, but what should I do as an end user, to update it, if it's already installed as a service: after I just replace the executable file? Because I don't need to change permissions: I know it's safer to restrict permissions in important folders, but I'm already an Admin User in my computer, so maybe this changes nothing in the question of security, because I think it's redundant, in Windows: suppose a bad actor invades my computer: it'll be able to do anything it wants, even to AdGuard, because I'm also an Admin User; I know it's safer to create an account without Admin Privileges and leave the Administrator account with its privileges only, but here where I live we don't have so much software security and safety education, so many stores already sell the computer with a new user with administrative privileges (access to root) and with some bloatware sometimes. I want to restrict my current user and enable Windows's built-in Administrator account with UAC messages with password required to make system changes, but I'm a little bit buzy/lazy to do that right now, it's too much to change. So for most Windows end users, like myself, who bought a computer and started using it the way it came from the store, changing permissions may be also redundant. Because if I'm infected with malware, the malware will grant itself privileges and access AdGuard with my own credentials (as I'd do manually). P.S.: I'm not a professional IT, a security technician or anything, I'm just explaining my suppositions and the experience I had installing the new AdGuard stable version as an end user, so please correct me when I said something wrong. Also, I'm using Windows 11 Pro 22631.4391 Windows Feature Experience Pack 1000.22700.1047.0 and avast! I installed AdGuard with PowerShell as service with .\AdGuardHome -s install Edit: this is not a rant in any way. I'm just trying to learn more. I love AdGuard and AdGuard Home because they give me control to my privacy and even more security when browsing. I apologize if any part of my writing had any sign of flame or anger. English is not my native language. |
|
Hello, @Arthur-Kenichi-Condino, thank you for a very thorough response! The issues mentioned are really duplicates of this one and all have the same origin, which is the inability to access the files with invalid permissions. We’re already testing the new beta, which should be much more accurate in terms of access rights on Windows.
Who owns AdGuard Home’s working directory and its parent directory? The latest release shouldn’t affect the owners of files and directories, it just sets the permissions for them, assuming that the working directory was originally owned by the Administrators account.
The service uninstall command shouldn’t affect permissions, so it can be run either before or after the executable is replaced. Could you please try the following:
This should fix skip the unwanted permissions manipulations.
You’re always welcome to share your experiences with us to help us develop AdGuard Home and other products. However, as a security-aware, server-based software, AdGuard Home strives to avoid all possible vulnerabilities, one of which is insecure access rights (#7314). |
|
So I followed the instructions given in this topic to update and get it working again, but somehow my filterlists have 0 entries? Even after forcing an update to them. I can see the files in explorer and they have the right data in them. So I guess this way of "forcing" adguard to run renders it unable to read the filter files?? |
The filter file was incorrectly set with permissions in previous versions, which requires you to restore it manually. |
I suggest you to nuke your current adg installation and reinstall it from scratch. |
No need, last update fixed this. |
|
这个权限控制完全没必要,都已经是home了,还要担心什么权限问题?多此一举! |
Updates #7400. Squashed commit of the following: commit f50d7c2 Merge: 47040a1 37b16bc Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 18:09:23 2024 +0300 Merge branch 'master' into 7400-chown-permcheck commit 47040a1 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 14:26:43 2024 +0300 permcheck: fix nil entries commit e1d21c5 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Dec 2 15:37:58 2024 +0300 permcheck: fix nil owner commit b1fc67c Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 18:07:15 2024 +0300 permcheck: imp doc commit 0b6a713 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 17:16:24 2024 +0300 permcheck: imp code commit 7dfbeda Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 14:28:17 2024 +0300 permcheck: imp code commit 3a5b6ac Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 19:21:03 2024 +0300 all: imp code, docs commit c076c93 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 15:14:06 2024 +0300 permcheck: imp code, docs commit 09e4ae1 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 27 19:19:11 2024 +0300 all: implement windows permcheck commit b75ed7d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Nov 25 18:01:47 2024 +0300 all: revert permissions
|
Hello everyone! We've pushed the edge build that contains a more proper implementation of the access rights handling. For now, AdGuard Home will only check the working directory permissions and migrate them if necessary. The expected permissions (which won't be migrated) for now are the following:
Note that any file within the working directory is expected to inherit its permissions and therefore be considered protected. It works fine on our test machines, but we'd really appreciate it if someone would check it before we release a beta and eventually a stable version. If you want to help us test this feature, and you previously installed the service with the For those who don't want to use this feature, the |
This seems to be working well from my testing so far. Permissions are set correctly, Windows states that I don't have access to the working directly but I can click continue to get access as an admin, configuration is editable from the webUI, no issues on restart of the service. |
It works well on my machine. |
|
For anyone interested, the fix is available on the beta channel. |
|
We're closing this issue for now and preparing a stable release, thanks again to everyone who tested the fix. |
|
@EugeneOne1 Can I continue to use the |
|
@bestpika, sure. It's also available in the latest beta. |
It works for me. |
and others
NOTE: For most relevant workaround see the comment.
Prerequisites
I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question or ask for help
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Windows, AMD64 (aka x86_64)
Installation
GitHub releases or script from README
Setup
On one machine
AdGuard Home version
v0.108.0-a.977+1d2026bf
Action
run "AdGuardHome.exe" in command prompt with admin right
Expected result
start AdGuardHome properly
Actual result
Error message shown "Unknown error: Access is denied. (0x80070005)"
Additional information and/or screenshots
seems latest edge release in Windows is having problem
I fallback the previous version by remove the whole folder, and unzip the previous edge version (Version:
v0.108.0-a.975+e529d29e), AdGuardHome could start properly
The text was updated successfully, but these errors were encountered: