Is there any way to set `--minws` and `--maxws` as a non-admin? - Githubissues

lowleveldesign / process-governor

This application allows you to put various limits on Windows processes.

MIT License

626 stars 62 forks source link

Is there any way to set `--minws` and `--maxws` as a non-admin? #69

Open b-a0 opened 7 months ago

b-a0 commented 7 months ago

From this comment I understand the "IFEO" system that enables the WS setting requires admin rights, but is there perhaps another way to let non-admin users configure this setting?

Context

I am looking for a way to let regular users set a memory limit on their (mostly python) processes without letting the process crash. The latter happens when users set the --maxmem or --maxjobmem option for their process. However, setting the --maxws works beautifully if a user has admin rights. Can I somehow grant rights to set WS, without making the users admin?

In case clarification is needed, this is an example of how I would like to use this functionality (currently fails with ERROR: A required privilege is not held by the client. (0x80004005) for non-admin users):

# %%
import os
from random import random

import psutil

print(os.getpid())
print(f"Memory (MB): {psutil.Process(os.getpid()).memory_info().rss / 1024**2:.2f}")

os.system(f"procgov64 --nowait --minws 10M --maxws 120M -p {os.getpid()}")

# %% Limit memory
huge = [random() for x in range(1, 1_000_000)]
result = []
for i in range(0, 100):
    print(f"{i}: Memory (MB): {psutil.Process(os.getpid()).memory_info().rss / 1024**2:.2f}")
    result.extend(huge)

lowleveldesign commented 6 months ago

Thank you for reporting this problem - it made me do some research about this setting 🙂. The old comment you referenced is not really relevant as procgov does not use IFEO to set Working Set limits. However, you are right that setting these limits requires additional privileges. Surprisingly, the required privilege is SeIncreaseBasePriorityPrivilege, normally assigned to Administrators, but not regular users. You may give it to your users through the group policies dialog:

"Updated users" need to sign off and in again, and limiting WS should work for them.

b-a0 commented 6 months ago

Amazing, works like a charm!

b-a0 commented 5 months ago

Oddly enough it has stopped working... I have added myself and the group I belong to the "Increase scheduling priority" policy, but I get the A required privilege is not held by the client. (0x80004005) error again (unless I run it as admin).

lowleveldesign commented 5 months ago

That's odd, indeed. Maybe one of the Windows updates broke this functionality. Please double check the group policy settings and also try adding the parameter --enable-privileges=SeIncreaseWorkingSetPrivilege,SeIncreaseBasePriorityPrivilege to the procgov command line. Does it change anything?

b-a0 commented 5 months ago

Thanks for the suggestion, unfortunately that does not make a difference:

PS C:\> cmd /c ver

Microsoft Windows [Version 10.0.14393]
PS C:\> procgov64 --nowait --minws 10M --maxws 24576M -p 16436
Process Governor v2.13.24103.12 - sets limits on processes
Copyright (C) 2023 Sebastian Solnica (lowleveldesign.org)

Minimum WS memory (MB):                     10
Maximum WS memory (MB):                     24,576

ERROR: A required privilege is not held by the client. (0x80004005)
PS C:\> procgov64 --minws 10M --maxws 24576M -p 16436
Process Governor v2.13.24103.12 - sets limits on processes
Copyright (C) 2023 Sebastian Solnica (lowleveldesign.org)

Minimum WS memory (MB):                     10
Maximum WS memory (MB):                     24,576

ERROR: A required privilege is not held by the client. (0x80004005)
PS C:\> procgov64 --enable-privileges=SeIncreaseWorkingSetPrivilege,SeIncreaseBasePriorityPrivilege --nowait --minws 10M --maxws 24576M -p 16436
Process Governor v2.13.24103.12 - sets limits on processes
Copyright (C) 2023 Sebastian Solnica (lowleveldesign.org)

Minimum WS memory (MB):                     10
Maximum WS memory (MB):                     24,576

ERROR: A required privilege is not held by the client. (0x80004005)

I confirm in the GUI that the policy is applied to me, but I am still looking for a way to check what policies are really applied to me to be sure.

lowleveldesign commented 5 months ago

Unfortunately, this will need to wait a bit as I have a few other things on me right now. In the meantime, you could check the token privileges in, for example, System Informer - go to process properties and then Token tab will list privileges (the one in green are enabled and active).

lowleveldesign commented 5 months ago

But I run a test and on my Windows 11 (I have all the latest updates installed), it works (so the privilege is enough, even if it's inactive in the token):

lowleveldesign commented 5 months ago

Hi, did you manage to check the token privileges? How do they look like for the non-working scenario?

b-a0 commented 5 months ago

I just tried it in the non-working scenario. Only difference I see is that I don't have the "SeIncreaseBasePriorityPrivilige" at all.

lowleveldesign commented 5 months ago

That explains why it does not work. It seems the local policy does not get propagated to your account (otherwise, you would have this privilege in the token).