Emby running as a Windows service can't access TV tuners.

[steets 1]

(This was originally posted on r/emby. I searched the forum before posting and made sure nobody had asked this question before.)

Hi there!

I've been using Emby for years now, and I just recently performed a home security audit. When I finally got to the media PC, I realized that I should probably be running Emby Server as a Windows Service instead of an always-logged-on Administrator account on a domain-joined server computer.

I successfully ported everything over and got it working with NSSM, but I realized that in the service context, Emby is unable to access my TV tuner card. If I start the program manually as a desktop application it works perfectly fine, but when started automatically by Windows, or manually through services.msc, it simply can't detect the PCIe tuner card. I'm not sure if this is more of an Emby issue or a Windows one (Windows may very well just deny access to PCIe devices for applications logged on as services, I'm not sure), but I figured I'd ask here first. I have tons of experience with Windows, especially domain administration and server management, but I've never really ventured into this area before. I was hoping that somebody here might've come across this problem before, so if you have any advice or recommendations, please let me know - Any feedback is greatly appreciated!

Thanks!

[pwhodges 2014]

What card is it, and what kind of output does it offer?  My Emby, running as a service under LocalSystem, can take live TV from a network tuner HDHomeRun, or from a Hauppauge card.  But the Hauppauge card requires the WinTV driver to be running.

Paul

[steets 1]

Thanks for the reply! It's a Hauppauge WinTV-quadHD, running under a dedicated local account on the machine. I'm not sure what you mean in terms of output — Emby usually just pulls hte feeds from it perfectly fine, although I have the same caveat as you, that the WinTV driver needs to be runing. The local account can access the streams normally, but when I attempt to run the server application as a service under the same account, Emby can't seem to detect the cards at all.

[pwhodges 2014]

Well, it's midnight here now, but I can try the Hauppauge again tomorrow (I don't have it in service right now, but it's in the machine still), and see if there's anything odd I must have done previously.

You say you've tried with the service using "the same [local] account", which I presume is a login.  Have you tried the built-in "LocalSystem" account, which is what I'm using?

Paul

[steets 1]

I haven't tried the local system account yet because my Emby Server connects to a NAS. Basically, the only way to have it store the credentials for the storage device without making the share accessible to everybody on the network is to use the Windows credential store, which is not available for the NT AUTHORITY\SYSTEM account. I'll try the SYSTEM account on my end too, thanks for helping me out!

[steets 1]

For anybody looking at this thread in the future, the way I eventually solved this was to give Emby its own (non-managed) service account that I just denied graphical logon privileges to prevent security holes. I then used CMDKEY to access the Windows Credential Manager for that particular account, and gave it the username and password it needed to access the network server.

[rbjtech 5285]

This is good practice to do this anyway - you may be able to get away with using a non-admin account as well and just grant it specific permissions as you have done so.