Adding Permissions for a Non-Admin User to Start EkranServer

To allow a non-admin user to start the EkranServer service, the following permissions need to be added:

1. Writing events to the log files - Write permission:

C:\Program Files\Ekran System\Ekran System\ServerLogs

2. Using certificate-based encryption - Write permission:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

3. Writing events to the Event Log - Write permission:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Ekran System

4. Writing to the registry - Write permission:

HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem

IMPORTANT NOTE: The Application Server can no longer be configured in the registry after updating to Ekran System version 6.53.1 or higher, which is now done instead by way of the "EkranServer.Settings.config" text file (located in: C:\Program Files\Ekran System\Ekran System\Server). After updating to version 6.53.1 or higher, all settings previously configured in the registry remain the same, but are now stored in the .config file (e.g. <add key="<GoldenImageMode>" value="1" />), and can only be modified in this file. For this reason, all instructions above concerning configuration of the Application Server in the registry no longer apply to the registry, but instead apply to the .config file.

5. Reading and writing to the registry - Read and Write permissions:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY

Also, the Process Monitor (Procmon) application can be used to check which directories access is still denied for (in case the permissions specified above did not help), by doing the following:

1. Open the Process Monitor application.

2. Open the Process Monitor Filter (e.g. by clicking on the Filter icon on the toolbar in the top left), and specify the conditions “Process Name is EkranServer.exe”, and then click the Include > Add > OK buttons.

    

3. Click the Clear button on the toolbar at the top to clear the events.

4. Open the EkranServer service properties, and select Take No Action.

    

5. Restart the EkranServer

6. In Process Monitor, exclude all results except those with Access Denied, by right-clicking on a result and selecting Exclude in the context menu that opens.

    

7. Grant the permissions for each directory/key in the registry, and then clear the events in Process Monitor, and check that the permissions now allow the service to be started.