User Mode VS Service Mode

Hi @codemonkee & @LeftBrainCo!
Let me try to explain how User Mode & Service Mode are different:

  • User Mode - All the Robot’s components(Service, Executor, Tray) live on the user’s session and run with current user’s permissions. Also, the Service is not started automatically. It’s started whenever you first open the Tray and it’s using the same authorization as the Tray. When you click to start a process, the Tray goes to the Service and the Service spawns an Executor (with the same permissions as the Service) and instructs it to execute the process. So, as you see: the Executor will run with the same permissions as the Tray. I think that’s why you (@codemonkee) could access resources that require elevation. The bad part about the User Mode is that it cannot create User Sessions (cannot log in) thus it can’t really be used in unattended. You have to be logged in on that Machine before being able to start a process from Orchestrator.

  • Service Mode - For this setup, the Robot Service is running as a Windows Service in Session 0 under the Local System user. It always runs and it always keeps the connection with Orchestrator open. Whenever Orchestrator says a process needs to run, the Service creates a new Windows Session for the User (set up in Orchestrator’s Robot) and in that Session, it spawns the Executor with normal user rights. From unattended we don’t and we’ll never support running processes with elevated rights. It’s too big of a security risk. If Orchestrator gets compromised, it means the attacker would also have admin access to all the machines connected to it.

@codemonkee, for your problem I don’t have an out of the box solution. But there may be others that managed to find a solution for it.

16 Likes