c# Windows Service working in Debug mode, but exception in SCM

[carrolls]

I have written a C# Windows service and have added Microsoft.Web.Services3 as a reference.
I need this to obtain a certificate from the certificate store. I.e.

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.MaxAllowed);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint, subject, false);
try
{
cert = col[0];
}
catch (Exception e)
{

throw new Exception("Cert not found");
}

This code works fine when I run the service in debug mode, but when I add it to the Service Control Manager and start the service, it throws an exception on the Find(X509FindType.FindByThumbprint, subject, false) line.
My question is why does it pass in debug mode while failing as a service?
What is significant about the Find(X509FindType.FindByThumbprint, subject, false) that would throw an exception? Obviously it cannot find the cert but why?

[Arjay]

How are you debugging the service?

Probably you are running under two different accounts: one under debug mode (your user account) and a different account when running under the SCM.

To help when running under the SCM, you can use the services built-in eventlog functionality to write to the event log.

[carrolls]

Hi Arjay,
thanks for that, but how can you tell which account the SCM is running under?
And maybe I need to change
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
to
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); for the SCM.
Would that make sense?

No, I have just tried, It does not work.

[torrud]

And maybe I need to change
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
to
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); for the SCM.
Would that make sense?

Well, this change causes a different behavior. Keep in mind on a windows system you have different stores. Each user have one and each service as well because services will be executed in a user context. Additional there is a store for the whole machine where all users can accessing. But it is not possible that your service can have access to your private user store.
So there are two solutions. You can put all certificates to the LocalMachine store which is not really good because anyone can access the certificates. Or your service has its own store and handles all certificate actions on your computer. Its a question of your requirements which solution you should use.

For what is the service designed for?

[Arjay]

To find out which account the service is running, just look under the Logon tab inside the services control panel applet.

[carrolls]

I have given the service the Username and password for the current user
and now the service seems to work.

But this will mean that other users who log onto the machine won't be able to use the service.
Anyway, thanks for the help.

[Arjay]

But this will mean that other users who log onto the machine won't be able to use the service.

Why not? How do the users interact with the service?

[carrolls]

Simply because this code block within the service will not be able to find a certificate if the correct user for the service is not logged on.

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.MaxAllowed);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint, subject, false);
try
{
cert = col[0];
}
catch (Exception e)
{

throw new Exception("Cert not found");
}


If I go into the SCM and change the Service account to the user currently logged in to the machine, it works.

[Arjay]

Pass in the user credential data when the user interacts with the service.