Duplicati.WindowsService not running as administrator

Support
1

I have updated to Duplicati - 2.1.0.2_beta_2024-11-29 on Windows 10. I have installed Duplicati.WindowsService. It is running as the Local System account. I want to backup my home directory and another user’s home directory. I run Duplicati from the tray icon. When I ‘run now’, Duplicati throws an error about not being able to access the other user’s documents directory. I could swear that this worked when I first installed it months ago but don’t know what might have changed. I have uninstalled and reinstalled, rebooted, etc but still get the error.

Ideas?

2

Using what options? Without --no-hosted-service, it’s using itself, not Windows service.

One way to see what you have is About → System information. Is UserName as expected?

Detached TrayIcon

Duplicati Access Password

Any other oddities? A wrong-user accident would likely not be able to see old backup jobs.

3

I didn’t install it with any options AFAIK. The UserName isn’t what I expected. It is mine - the logged in user. I expected that when I started up the GUI it would be connecting to the windows service that should have access to all user’s directories - not just mine. How do I use the Windows service?

4

Please see these pages:

EDIT:

The need for a GUI password is a new thing. The need for --no-hosted-server is old.

6

Hi,
If you have install duplicati as a service, you do not need to lunch it from de tray icon,
If your service is up, just go on localhost:8200 and you will fing your gui.

if you lunch the tray icon you gonna have 2 duplicati running, one in localhost 8200 and one in 8300.
you need to kill the tray icon and let the service running alone.

7

@fndz suggestion for no tray icon at all will work and is easier.
Service starts with Windows likely as SYSTEM. Browse to it at

http://localhost:8200

If you prefer to view tray icon, use --no-hosted-server with it.
That will reduce that TrayIcon into basically just a part of the UI.

8

So now I’ve really screwed things up. I stopped the windows service and ran the server with --webservice-password. It complained about needing the SETTINGS_ENCRYPTION_KEY. I set that in the shell environment before starting the webserver. That worked and I am able to log in. But when I stop that instance and try to start the windows duplicati service, that fails. Watching the tasks in the Task Manager, I can see that the web server is starting over and over again very quickly. I tried setting SETTINGS_ENCRYPTION_KEY for the service using regedit, but that doesn’t help. Now I can start the service any longer. How can I fix this?

9

I’m not sure those things are related. You don’t need to encrypt. You do need a password.

Try using Event Viewer to look in the Windows Application log to see why the server quits.

10

I’m no longer using the tray icon. I’m trying to just log in to http:localhost:8200 but that requires me to set a password. I’ve done that but now the windows service fails to start.

11

Please follow advice:

12

The event viewer shows

2024-12-23 16:21:02 -05 - [Warning-Duplicati.Server.Program-EncryptionKeyMissing]: The database appears to be encrypted, but no key was specified. Opening the database will likely fail. Use the environment variable SETTINGS_ENCRYPTION_KEY to specify the key.

I can set the environment variable for the service using regedit, but I’m not sure that is being passed on to the Duplicati.Server. I can try again and see if the event error changes

13

I have the same misgivings about setting it through Control Panel. Might need a reboot.
I haven’t tested, and have not tried your registry approach. You can see environment in
Sysinternals Process Explorer Properties → Environment. Might need to start as admin.

14

Now the event view just keeps repeating “attempting to restart server process […]Duplicati.Server.exe”

15

Not much to go on when it logs nothing, and I think this version lacks Duplicati.crashlog.

A probably harder path is to test the startup in Command Prompt (Admin) or similar, like

"C:\Program Files\Duplicati 2\Duplicati.Server.exe" --server-datafolder="C:\Windows\System32\config\systemprofile\AppData\Local\Duplicati"

If it has something to write to its normal output, at least this way it will show in a terminal.

EDIT:

It’s also quite easy to mess with environment variables when launching from the terminal.

16

It works when I launch from a terminal (with the encryption key set in the shell environment) but fails when launched from the windows service

17

You could either pursue the Process Explorer environment variable test, or perhaps the lead developer will have some other idea on next checkin, which possibly won’t be until tomorrow.

18

If you want to live somewhat dangerously, you could rename the Duplicati-server.sqlite to see if Server will start in Service without a database. But if you lose old database somehow, without a preserved export of jobs (or similar), you might have a hard time recreating jobs (so be careful).

I’m not sure how best to encrypt Service Server database. Environment variables are too public. Using the secret provider is another new feature that I haven’t tried.

19

Server help also has:

--settings-encryption-key: Use this option to set the encryption key for the settings database. This option can also be set with the environment variable SETTINGS_ENCRYPTION_KEY.

if you can’t get the environment method going. I dislike this because I think event log logs it.

If issue is with some sort of mismatched encryption key, an error message would be nice…

20

You can get some additional logging by:

Duplicati.WindowsService.exe UNINSTALL
Duplicati.WindowsService.exe INSTALL --debug-service <other options>

This will log various events related to the service starting and stopping, which may help in pinpointing the problem further.

Once you run from the terminal with the encryption key set, the database will be encrypted. If the service does not have the environment variable, it will fail to start the service, so I am guessing this is what happens here.

If you want to decrypt the database, start again from the console, with the encryption key environment variable set, and add --disable-db-encryption=true. After the server starts, the database will be decrypted.

I recommend always having the database encrypted, but it can be helpful for testing.

21

made me think there was nothing on the failure. Is that right? On my Command Prompt tests yesterday, my attempted start logged lots to the terminal, and event log got busy (too busy?).

For an example, I got this in chronological order. The first is reasonable, not sure of next two:

Application: Duplicati.GUI.TrayIcon.exe
CoreCLR Version: 8.0.624.26715
.NET Version: 8.0.6
Description: The process was terminated due to an unhandled exception.
Exception Info: Duplicati.Library.Interface.UserInformationException: Server crashed on startup
...

Faulting application name: Duplicati.GUI.TrayIcon.exe, version: 2.1.0.2, time stamp: 0x66470000
Faulting module name: KERNELBASE.dll, version: 10.0.19041.5198, time stamp: 0xd1eefc71
Exception code: 0xe0434352
Fault offset: 0x000000000003b699
Faulting process id: 0x3430
Faulting application start time: 0x01db560b963957f6
Faulting application path: C:\Duplicati\duplicati-2.1.0.2_beta_2024-11-29-win-x64-gui\Duplicati.GUI.TrayIcon.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: df3e9bbc-9de7-4d57-9eee-3b4f2456ba7e
Faulting package full name: 
Faulting package-relative application ID: 

Fault bucket 1852649600498824582, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: Duplicati.GUI.TrayIcon.exe
...

image

Does it really need to crash after giving useful message? That seems like it could be improved.

I had tried this standalone without luck, but using the encryption key solved that. It’s in the docs, however it’s stricter than it used to be, and I guess if you lose the key then too bad, which is like situation with a backup encryption password. At least I think I see how this one can be changed.

How much does that interfere with ServerUtil use, and is creating such interference good or bad from a legitimate administrative point of view? Want to impede attackers, but still admin things…

Server authentication model spoke to a concern I had, which is whether having DB read access allowed one to get in and do things. Maybe there’s a right order, e.g. set up before locking down.