Microsoft KB Archive/170915

= INFO: Incorrect Configuration Can Orphan COM Servers =

Article ID: 170915

Article Last Modified on 2/9/2006

-

APPLIES TO


 * Microsoft OLE 4.0, when used with:
 * Microsoft Platform Software Development Kit-January 2000 Edition

-



This article was previously published under Q170915



SUMMARY
If the launch and access permissions of a secure COM server are configured incorrectly, a situation might arise where the COM server is launched, but it is never shut down. This happens when a client's user account is allowed launch permissions to the server but not access permissions. Because no valid client/server connection is ever established, the automatic garbage collection mechanism built into COM is not implemented in this case and the server may be left running forever.



MORE INFORMATION
Consider the case where a client's account is in the launch permissions list of a COM server, but it is missing from the access permissions list. If an authenticated COM session is to be established between the client and the server, COM needs to check both launch and access security. Since the client has launch permissions, COM launches the server. The server calls CoRegisterClassObject to register its classes. COM then tries to call the server while impersonating the client. The call is never dispatched into the server code due to the initial security check failing. No interfaces are marshaled and an Access Denied error is returned to the client. Since no objects are created or properly marshaled, no garbage collection is subsequently performed. This may result in the COM server process being orphaned.

The server process and associated COM class objects will be orphaned if:


 * 1) It is a single-use server (registered with REGCLS_SINGLEUSE). -or-


 * 1) It is configured to run as the launching user. -or-


 * 1) In other cases (non-single-use, non-run-as-launching-user), if no user with access permission subsequently tries to activate the server and then shuts it down properly when done.

Correctly configuring the COM server is the solution to this problem. Clients that are allowed launch permissions on a server (AppID) must also be given call permissions.

NOTE: The opposite is not true. That is, it is completely reasonable to have clients with access permissions (can call a running server) but no launch permissions (can't start a non-running server). Indeed, it is precisely for this scenario that COM separates the two ACLs.

