Jump to content
kamakamadaun

post-recording task doesn't seem to have all privileges

Recommended Posts

kamakamadaun

Hi,

 

my goal is to run a bat file after recording that:

1) transcodes to h264 (to deinterlace since chromecast 2 doesn't like interlacing)

2) trigger re-scan in Plex

 

With the old recording service (and DMS) I can make the transcoding work with ffmpeg but NOT if I use hardware acceleration in ffmpeg. I understand that this is because the service's account doesn't have hardware access. Fair enough. So I bought DMS since there is an option to run the the task in the user account, which should solve the problem.

 

Before getting to test if it works with DMS, though, I set the service to run as my own user. This is the only way I know of to be able to record to a network drive.

The service refused to start though but I solved it based on this: https://social.technet.microsoft.com/Forums/en-US/419ba006-4413-4036-8c49-252b08593131/service-fails-to-start-error-1297-and-7000?forum=winserverDS adding "users" to the needed privileges.

 

But now the "run in user account" option to be greyed out in the task config. So I assumed that was to say "The service is already running as the local user so no need"?

But if I set the service back to run under the system account it is still greyed out.

 

So I also tested running my task with the service running with my own user. It looks like ffmpeg is launched with the right user but it still gets the errors related to not being able to start the directX device.

 

So... I have a few questions:

1) What will make that option to be greyed out?

2) If I run the service as my own user should the task also be run with the correct user?

3) Can you think of a reason why the Plex command seems to be triggering (I see the media scanner running in the task manager) but not working? If I run the exact same command on my own Plex is updated.

4) Can you think of some other reason why this shouldn't work?

 

Cheers and thanks in advance.

 

 

 

 

Share this post


Link to post
Griga
14 hours ago, kamakamadaun said:

1) What will make that option to be greyed out? 

 

The per-task "Execute in active user account" checkboxes are disabled if the general "Extended privileges for executing tasks in the active user account" checkbox is unticked.

 

This general checkbox is unticked if the required privileges for executing tasks in the active user account are not set. It is disabled If the privileges cannot be read or the service is configured to log on with the credentials of a user account, or with other words, if in the registry key

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DVBVRecorder

 

the RequiredPrivileges value is empty/not present or the ObjectName value is not LocalSystem.

 

Tasks are displayed as striked through if they can't be executed, because they previously have been set up for execution in the active user account, but the required privileges are not set.

 

Please note: If a service is configured to run with the credentials of a user account, it does not run in the context of this user account. It only uses its credentials for log-on, thus enabling access to protected network drives. If you want the service to run in the user account, you need to start DVBVservice.exe as application, which is possible, but includes some restrictions, because the DMS is not designed for this state. E.g. the tray tool cannot communicate with it anymore. However, this mode can be quite useful for tests.

 

A service needs additional privileges for running a child process in the active (!!!) user account (which is not necessarily the account whose credentials are used by the service). The checkbox "Extended privileges for executing tasks in the active user account" adds three required privileges to the registry key mentioned above (SeIncreaseQuotaPrivilege, SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, see here). The main purpose is to enable tasks that require a visible UI, e.g. if the service shall launch DVBViewer. However, a task set up like this requires a user account to be active. If no user is logged on, task execution fails.

 

Unfortunately, if a service is configured to log on with user credentials, it is not allowed to use these privileges. If they are set, it does not start anymore. They can only be used if the service is configured for log-on as local system account. Greying the checkbox prevents making the DMS unusable as service. Maybe adding "users" to the privileges, as described by you above, could solve the issue. But it may be be very dangerous under security considerations.

 

14 hours ago, kamakamadaun said:

With the old recording service (and DMS) I can make the transcoding work with ffmpeg but NOT if I use hardware acceleration in ffmpeg. I understand that this is because the service's account doesn't have hardware access.

 

"Because the service's account doesn't have hardware access" doesn't seem plausible to me. Of course the DMS and all child processes running in the system account have hardware access, otherwise the service couldn't use DVB devices. However, I don't know under which conditions the hardware acceleration (DXVA) capabilities of graphics cards can be used. Maybe they require an application that is running with a visible UI. Maybe they need something else... IMO this has to be investigated.

 

Share this post


Link to post
kamakamadaun

Thanks for the detailed reply. Much appreciated.

I will read better later, since it is a bit heavy for me, but I wanted to give you the research I found on the issue.

 

It was discussed here before in the context of streaming with a workaround:

https://www.DVBViewer.tv/forum/topic/61023-ffmpeg-with-qsv-decoding-and-encoding-live-streams/?tab=comments#comment-470714

 

And here where the problem was the same using a service to run ffmpeg: https://trac.ffmpeg.org/ticket/6827

 

Any further hints for a solution are highly appreciated.

 

 

If it helps any here is the script I am using where I would like to switch to the HW accelerated encoding.

setlocal EnableDelayedExpansion
@echo on

> %3.log 2>&1 (

set "tempFile=%RANDOM%.temp"

REM CPU ENCODING
echo EXECUTES: "%~1\ffmpeg.exe" -i %2 -vf yadif=0,scale=1280:720 -map 0 -c:v libx264 -crf 20 -preset ultrafast -c:a copy -f matroska !tempFile!
"%~1\ffmpeg.exe" -i %2 -vf yadif=0,scale=1280:720 -map 0 -c:v libx264 -crf 20 -preset ultrafast -c:a copy -f matroska !tempFile!


REM GPU ENCODING
REM echo EXECUTES: "%~1\ffmpeg.exe" -hwaccel qsv -vcodec h264_qsv -i %2 -max_muxing_queue_size 9999 -map 0 -vf deinterlace_qsv,scale_qsv=1280:720 -r 25 -c:v h264_qsv -preset slow -b:v 4M -minrate 0M -maxrate 8M -bufsize:v 2M -c:a copy -f matroska !tempFile!
REM "%~1\ffmpeg.exe" -hwaccel qsv -vcodec h264_qsv -i %2 -max_muxing_queue_size 9999 -map 0 -vf deinterlace_qsv,scale_qsv=1280:720 -r 25 -c:v h264_qsv -preset slow -b:v 4M -minrate 0M -maxrate 8M -bufsize:v 2M -c:a copy -f matroska !tempFile!


REM COPY TEMP FILE TO FINAL LOCATION AND DELETE TEMP FILE
echo EXECUTES: copy !tempFile! %3.mkv
copy !tempFile! %3.mkv

echo EXECUTES: del !tempFile!
del !tempFile!


REM UPDATE PLEX
echo EXECUTES: "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Scanner.exe" --scan --section 10 -d "Z:\Recorded TV"
"C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Scanner.exe" --scan --section 10 -d "Z:\Recorded TV"

)

 

Share this post


Link to post
Griga
9 hours ago, kamakamadaun said:

And here where the problem was the same using a service to run ffmpeghttps://trac.ffmpeg.org/ticket/6827

 

--->

 

Quote

D3D is not available from a Windows service and require the program to be launched from an interactive user session:

 

That means, the task must be executed in the active user account, but the DMS can't do it if it is configured for log-on with the credentials of a user account (instead of the system account). However, if the system account is used, accessing network drives doesn't work. That's a catch-22. ;)

 

Share this post


Link to post
kamakamadaun

:( That is sad.

At least it seems I was not particularly stupid for not being able to find the magic config that would make it work.

 

I am wondering if I can make some stupid work-around. Like having the task just write a file, "filename.IamReady", and then have a scheduled task look for such files every few minutes.

Can you think of something else?

Share this post


Link to post
Griga
On 10/24/2018 at 10:26 AM, kamakamadaun said:

Can you think of something else?

 

It's difficult to get around the MS security measures. It is supposed to be difficult.

 

A possible starting point is the Media Server tray tool (DVBVCtrl.exe) or something like this tool that communicates with the service, but runs in the active user account and is able to execute child processes in this account. But that's no short term solution.

 

Another possibility would be an enhancement of the Media Server capabilities to run as application in the active user account, not as service. However, this approach includes some inevitable disadvantages, particularly that no background recordings or server activities can be performed without a user account.being active.

 

Share this post


Link to post
kamakamadaun

Thanks for the explanations. I solved it with two separate bat files.

 

One bat file used for the dms task that just creates an extra file with the .ts file:

copy /y NUL %3.totranscode >NUL

 

A second file that looks for the "totranscode" file and if so transcodes the ts file. This script is run through the windows scheduler every 2 minutes:

@echo on

cd Z:\Recorded TV\
z:

for /r %%i in (*.totranscode) do (

	> "%%~di%%~pi%%~ni.log" 2>&1 (

		REM GPU ENCODING
		echo EXECUTES: ffmpeg.exe -hwaccel qsv -vcodec h264_qsv -i "%%~di%%~pi%%~ni.ts" -max_muxing_queue_size 9999 -map 0 -vf deinterlace_qsv,scale_qsv=1280:720 -r 25 -c:v h264_qsv -preset slow -b:v 4M -minrate 0M -maxrate 8M -bufsize:v 2M -c:a copy -f matroska "%%~di%%~pi%%~ni.temp"
		ffmpeg.exe -hwaccel qsv -vcodec h264_qsv -i "%%~di%%~pi%%~ni.ts" -max_muxing_queue_size 9999 -map 0 -vf deinterlace_qsv,scale_qsv=1280:720 -r 25 -c:v h264_qsv -preset slow -b:v 4M -minrate 0M -maxrate 8M -bufsize:v 2M -c:a copy -f matroska "%%~di%%~pi%%~ni.temp"

		REM RENAME TEMP OUTPUT AND DELETE MARKER
		rename "%%~di%%~pi%%~ni.temp" "%%~ni.mkv"
		del "%%i"

		REM UPDATE PLEX
		echo EXECUTES: "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Scanner.exe" --scan --section 10 -d "%%~di%%~pi."
		"C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Scanner.exe" --scan --section 10 -d "%%~di%%~pi."
		
	)
	
)

 

It seems to do the trick. :)

 

Share this post


Link to post
kamakamadaun

Oh god. This only works if I am logged into the computer (I use RDP) and actually have the RDP window maximized. If the task fires when I have the RDP window minimized then no dice...

I have seen tricks like setting the computer to automatically login, but you cannot have RDP if you remove the password... So I am stranded again :(

Share this post


Link to post
kamakamadaun

OK. Sorry for the many posts. Now I am pretty sure I got it.

I needed to first install a "hack" to be allowed multiple users at the same time: http://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/

 

Then setup a user to automatically logon (so like a normal user at the physical computer). Then run the task using that user that has desktop access.

 

I can then use my normal account for admin as usual.

Share this post


Link to post
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...