MinimServer Forum

Full Version: Minim as a service on Windows
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I'd like to run Minim as a service on a Windows (10) box. As far as I can see the standard windows install is meant to run as the currently logged on user. I think that there is support for doing something like this on linux systems, and that you can run without a UI on windows.
So, has anybody done any work on this? As far as I can tell, there are a number of variations on the tanuki wrapper http://wrapper.tanukisoftware.com/doc/en...wnload.jsp which is a Java framework/library for managing Java applications as windows services. Alternatively there is an open source (and modernised) implementation of the old srvany tool from Microsoft. NSSM - the Non-Sucking Service Manager from http://nssm.cc/
Or there may be other better ways of doing this.
In any case it would be desirable to "harden" the service using virtual service accounts and/or service SIDs, ideally a restricted Service SID. MS documentation on these topics leaves a lot to be desired, but I think I can see what one might do.
As far as I can see from the MinimWatch documentation, I should be able to control any MinimServer instance on my local network, which is convenient, but reinforces my desire to run MinimServer with just enough privileges.
For a description of what another user has done, see this post.
(30-05-2016 21:09)simoncn Wrote: [ -> ]For a description of what another user has done, see this post.

Looking at that thread (which I should have found) that user decided instead to automate running minimserver as the currently logged on user. That's what I want to avoid.

In that thread:

Quote:simoncn Wrote:
MinimServer uses the startup directory location to compute the location of its configuration files. If you use a different directory for startup, MinimServer will go into test mode, which isn't supported or recommended.

Is there some reason why you can't configure the Windows service to change directory to the "lib" directory before starting MinimServer? For example, you could do this by running a cmd.exe /c script that sets the directory and then starts MinimServer.
That does raise some questions. I had already noticed that if you changed the startup directory, MinimServer couldn't find its configuration and prompted for a new one. I was puzzled by this, as I couldn't figure out why MinimServer would find the users %appdata% path if started from the lib folder, but not do so if started from elsewhere. However, once I'd configured MinimServer again, it seemed to work fine, so I ignored it.

I would expect that if run as a service using srvany.exe, that MinimServer wouldn't be able to find a user's configuration, because it's in the users profile. Local System (the identity with which it would be running) doesn't have a normal profile, and programs run as system that expect this tend to break.

Depending on the method MinimServer uses to find the configuration folder, and how that behaves when run by "local system" or "local Service" would affect whether MinimServer could come up with a sensible configuration location. I'd be happier to define a different startup folder and set the Java class path on the command line (if required). But, if this isn't a recommended or supported configuration, then this is trickier. I have one broken UPnP renderer which doesn't correctly support mpeg 1 audio (only supports layer 3), but servers and control points will only work with mpeg 1 layer 2 audio if it's marked as layer 3 (mp3). This also suggests that running two instances of MinimServer (which I would want to do to be able to offer transcoded audio only to my broken renderer) under windows isn't supported either. Using different startup folders and changing the ports I had this working.

My guess would be that MinimServer uses environment variables to find the user profile. Finding standard user locations in Windows Java is tricky because the java view of homepath was defined by Sun as the parent of the desktop folder up to version 7, and the user profile path in version 8. (On standalone desktop machines this is usually the same path, but the user is free to change the location of their desktop folder, on managed machines with redirected desktop folders it's usually different)

All of which suggests that I may be looking at an "interesting" problem - and probably explains why noone has tried this before and reported success.
To run MinimServer on Windows, two things are needed:

1) The current working directory must be the installation 'lib' directory. This is normally C:\Program Files\MinimServer\lib but it could be something else.

2) The APPDATA environment variable must be set. MinimServer uses this variable to locate and/or create the configuration of the running instance. The configuration folder is %APPDATA%\MinimServer.

It is possible to run multiple instances on Windows by ensuring that each instance is started with a different APPDATA value.
(31-05-2016 07:51)simoncn Wrote: [ -> ]To run MinimServer on Windows, two things are needed:

1) The current working directory must be the installation 'lib' directory. This is normally C:\Program Files\MinimServer\lib but it could be something else.

2) The APPDATA environment variable must be set. MinimServer uses this variable to locate and/or create the configuration of the running instance. The configuration folder is %APPDATA%\MinimServer.

It is possible to run multiple instances on Windows by ensuring that each instance is started with a different APPDATA value.

Thanks for confirming that information. I have been able to get MinimServer running with the "local service" account using psexec (with some difficulty). That should mean that I can get it to run as a service. A task for the weekend.
I've been successfully running MinimServer as a service under 64 bit Windows 10 home. Do read all the relevant documentation before you do any of this.

Brief outline:
Get NSSM from http://nssm.cc (and read the documentation)
Copy (64 bit) NSSM.exe to C:\Program Files\NSSM
Copy Server JRE to C:\Program Files\Java (installing a JRE of your choice would also be ok)
Copy/Install MinimServer to C:\Program Files\MinimServer
Run NSSM.exe from an elevated command prompt:

>nssm install MinimService

In the Application tab:
path: C:\Program Files\Java\jdk1.8.0_91\jre\bin\java.exe
Startup Directory: C:\Program Files\MinimServer\lib
Arguments: -jar "C:\Program Files\MinimServer\lib\mserver.jar" --set watch.view=console --noprompt

Details tab:
Display Name: MinimServer Service

I/O tab:
Output: %userprofile%\MinimService.log
Error: %userprofile%\MinimService.log

leave everything else as the default.
Click on Install Service

Now, you need to configure the service to run with a virtual service account. From the command prompt:

>sc config MinimService obj= "NT SERVICE\MinimService"

and with a write restricted SID:

>sc sidtype MinimService restricted

You need to set the firewall so that MinimServer can be seen from other machines on your local subnet. Either do this yourself using the GUI (from control panel), or using 'netsh advfirewall firewall' from the command line. (Or cheat and do a trial run of MinmServer from a non-elevated command prompt, and wait for the prompt to open the firewall.)

You should install and run MinimWatch. Now you can start the service:

>sc start MinimService

This should turn your MInimWatch system tray icon red. Open and configure MinimServer as described in the documentation.

Note that as soon as you start MinimService, a new folder will appear in C:\Users (MinimService) This is the profile for the service, and where it's configuration lives. You can give permissions to this new virtual service account. As far as read permissions are concerned it has much the same rights as any other user account, so if you Music Library is in your personal "My Music" folder MinimService won't be able to read it, just as any other user wouldn't be able to read it. So, you would have to give MinimService permission to read it, either explicitly, or by giving users or everyone permission to read it. When you need the name of the account, it's "NT SERVICE\MinimService". If your music library is in a directory under the root of C:, or in the public profile (e.g. under Public Music) the MinimService should be able to read it.

The restricted write SID means that the only place the MinimService account can write is where it has explicit permissions. MinimServer only writes in the user profile, so that's fine, as the virtual service account will have full control in its own profile.

If Microsoft have helpful documentation about virtual service accounts and write restricted SIDs, I haven't been able to find it. The following may help:
http://searchenterprisedesktop.techtarge...erver-2008
http://www.christianlong.com/blog/twiste...e-accounts
Thanks for these instructions! They should be very helpful for other users.
Reference URL's