Sign in with
Sign up | Sign in
Your question

Setting inter-dependency for services and programs on logon/logoff

Last response: in Windows 7
Share
January 29, 2010 11:51:28 PM

Hello,

I'm just setting up a new Win7 Professional system, and I want to encrypt a partition on the hard-disk with TrueCrypt to store certain stuff including the data directory for MySQL.

However, the MySQL service would probably start before I'm logged-in and therefore throw a fit if the data dir isn't mounted yet. Likewise, I can't be sure MySQL will stop before the Truecrypt volume is dismounted at logoff/shutdown.

Is there any way I can make MySQL wait for the Truecrypt volume to be mounted after logon, and then stop it at logoff before Truecrypt dismounts? It seems it might be possible using Group Policy, but as I come from XP Home I've no experience of this tool.

PS - Just to make things more complicated, I'll mostly be logging in as a Standard User, so the solution has to work whoever logs in.

Not asking much eh?

Thanks!
a b $ Windows 7
January 30, 2010 3:27:08 AM

google is your friend
m
0
l
January 30, 2010 7:27:58 AM

Er... Well, no it hasn't been. I do try to find solutions for myself before seeking help y'know, it's just rather a complex issue and nothing I've dug up covers the extent of it.

If you have any suggestions on specific terms I could use in my googling, that would be considerably more useful than your post above, mate.
m
0
l
Related resources
a c 209 $ Windows 7
January 30, 2010 8:27:06 AM

I'm no MySQL expert, but it sounds to me like you could just set the MySQL service to "Manual" startup, and then have a batch file that runs at logon time which (a) starts up TrueCrypt, and then (b) starts up MySQL.

Similarly, you could use a logoff script to do the reverse. Logoff scripts are configured using the Group Policy editor in the Microsoft Management Console (MMC), which you set up as follows:

Start -> Type "mmc" into the search box, run the "mmc.exe" program (must run as administrator to edit Group Policy).

File -> Add/Remove Snap-In

Select "Group Policy Object" and add it to the list of snap-ins, click "OK"

Click "Finish" with "Local Computer" selected as the Group Policy Object.

Click "OK" to close the "Add or Remove Snap-Ins" dialogue box.

In the left pane of the MMC console, navigate to:
Local Computer Policy -> User Configuration -> Windows Settings -> Scripts

In the right pane you can add logon and logoff scripts. Note that the scripts must be in the correct GroupPolicy folder (the scripts added via the MMC go into by default).

Once you've created the Group Policy MMC, you can use "File -> Save As" to save a configuration file for it (file type ".msc") - you can then double-click on that file to start up an MMC with the Group Policy Snap-In already loaded instead of having to go through the steps above to set it up.
m
0
l
a b $ Windows 7
January 30, 2010 8:34:51 AM

What about using startup and shutdown scripts (or possibly logon and logoff scripts)? Set the MySQL service to start manually and start it in the script with the "net start" command.

Edit: Oops - I see I've been beaten to that suggestion.
m
0
l
January 30, 2010 12:04:38 PM

Thanks both of you for replying. I agree that the startup/shutdown or logon/logoff scripts are the way to go, but I've started this morning trying to figure out the necessary scripting and already I'm mired in confusion.

It seems I'll need more than one script for each part of the process, because things will be happening at different privilege levels. I see it like this:

Logon(1): a system-privileged script that waits for a signal (for example a value written to a text file) before starting MySQL and other services.

Logon(2): a user script (for each user) that performs the Truecrypt mount and, when successful, gives the signal.

Logoff(1): a user script that waits for another signal before dismounting Truecrypt.

Logoff(2): a system script that stops MySQL etc then gives the signal.

I'm a bit concerned about the service start/stopping part, because I'm getting Access Denied errors when trying to issue "net stop MySQL" or "sc stop MySQL" in Powershell or cmd, even though I'm in the Admin account.
m
0
l
a c 209 $ Windows 7
January 30, 2010 3:38:22 PM

Yeah, the privilege requirement is a complication. You could try using the Task Scheduler (Start -> Right-click "Computer" -> Manage, then navigate to "System Tools -> Task Scheduler". I haven't used it much myself but it does have options to run a script at logon or logoff time and you can enter credentials so that it runs in a privileged account.

When you sign onto an Administrative account with UAC enabled and open a PowerShell or Command Prompt window, the windows don't get administrative privileges. UAC normally runs programs without a privileged access token, and programs have to request privilege elevation as needed. Neither PowerShell nor Cmd.exe ever request privilege elevation, so by default you can't use privileged commands from them.

If you want to do something in a Command Prompt / PowerShell window that requires privileges, you need to open the window using "Run As Administrator" - even if you're already using an administrative account.

I have a feeling that's why your MySQL start/stop commands aren't working.
m
0
l
January 30, 2010 6:03:16 PM

Yep, this seems to be my problem - the logon/logoff scripts are run as the user that logs in, so I can't use them for the service starting/stopping when I log in as a Standard user.

The task scheduler should work though, at least for the login part. As Truecrypt can be mounted automatically at login, I only need one custom script here:

do {sleep 5} until (Test-Path X:\)
net start MySQL
net start Apache2.2

X: being where the Truecrypt volume is mounted.

Logoff is more of a problem though, because I can't initiate a privileged script at user logoff. It's also more critical to get right, because while these services can't screw up my data if they can't access it, suddenly losing access to it is likely to be a more serious problem.

I'll have to also have another privileged script scheduled at logon, that'll keep running as a "daemon" listening for a signal from a user logoff script. The privileged script could be like:

$logoff = 0
while ($logoff -eq 0) {
sleep 5
$logoff = gc c:\path\to\signal-file.txt
}
net stop Apache2
net stop MySQL
& 'C:\Program Files\TrueCrypt\TrueCrypt.exe" /d x /k #dismount command

Then the user logoff script just does this:

echo 1 > C:\path\to\signal-file.txt

I'll try these parts tomorrow. However, I'm still a bit concerned that if this doesn't work, there's nothing to tell TrueCrypt to dismount and the system could hang at logoff (I've already done that once).
m
0
l
a c 209 $ Windows 7
January 30, 2010 8:21:02 PM

Just out of curiosity, have you considered using Bitlocker for encryption? I'm not an encryption expert, but I haven't heard of any specific weaknesses in the technology and it's probably a lot more seamless than what you're trying to do.
m
0
l
January 30, 2010 11:40:36 PM

Alas, it appears that Win7 Professional doesn't have it, only Business and Ultimate. I also was noticing something on the Intel Matrix Storage [RAID controller] startup screen about drive encryption, but I don't think my particular SKU has that either :( 

I've just been looking online and a 72Krpm, 500GB SATAII drive costs about £40 new. I think I'll start making the case that this will cost them less than the billable hours I'm spending mucking about with this workaround. Like HDDs ever die within the warranty period anyway...
m
0
l
!