8

I have a windows service project implementation that I am trying to install as network service.

process = new ServiceProcessInstaller();
process.Account = ServiceAccount.NetworkService;

however whenever I try to start the service I get :

System error 5 has occurred.

Access is denied.

This comes after running the net start MyService command in the visual studio command prompt which is running as administrator by the way.

Any help on how to get this to work? Thanks.

Saher Ahwal
  • 9,015
  • 32
  • 84
  • 152
  • Check the installation path, make sure that the [NetworkService user account](http://msdn.microsoft.com/en-us/library/windows/desktop/ms684272%28v=vs.85%29.aspx) has all the privileges required by your service and that the folder has permissions for execution for NS user. Try putting a `Debug.Break` on the first line of the Windows Service `OnStart` method. Is it being hit? – oleksii Aug 15 '12 at 22:40
  • no, the main method is not even being hit – Saher Ahwal Aug 15 '12 at 22:44
  • Did you add permissions for NS user in that folder? Does it have "ticks" for Allow Execution? – oleksii Aug 15 '12 at 22:48
  • @oleksii: I am just new to this windows service stuff so I am not sure I understand what you are talking about – Saher Ahwal Aug 15 '12 at 23:48
  • @oleksii: do you want to add an answer? – Saher Ahwal Aug 15 '12 at 23:48

3 Answers3

28

I would check that the Network Service account has permissions to execute. Steps to check:

  1. In Windows explorer go to the folder containing the binaries of the service
  2. Right-click on the folder > Properties > Security tab > Edit button
  3. Add > "NETWORK SERVICE" > OK
  4. Give it full control (just to test and then reduce permissions till it working)

screenshot

oleksii
  • 35,458
  • 16
  • 93
  • 163
  • 1
    In My case above steps are not working. I have given the full rights to the Network service account and when I start service got error message "Some services stop automatically if they are not in use by other services or programs." – user2323308 Jul 19 '13 at 12:27
  • @user2323308 that's your inner exception. Not the absence of rights of Network Service. – AgentFire Jul 11 '15 at 14:32
  • Is there a way to do this from the CLI? – kkirsche Nov 12 '17 at 01:53
  • @kkirsche I believe there is a way. See this article: https://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/. If you figure it out, could you please update my answer with the details of the command and parameters? Thanks. – oleksii Nov 12 '17 at 22:46
1

Your Net Start MyService is probably not running with escalated privileges. Your command requires (I believe) Administrative Privileges.

Update

Not sure why, but your privileges on your service are weird. By default privileges of services should look like:

D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
  ADS_RIGHT_DELETE
  ADS_RIGHT_READ_CONTROL
  ADS_RIGHT_WRITE_DAC
  ADS_RIGHT_WRITE_OWNER
  ADS_RIGHT_DS_CREATE_CHILD
  ADS_RIGHT_DS_DELETE_CHILD
  ADS_RIGHT_ACTRL_DS_LIST
  ADS_RIGHT_DS_SELF
  ADS_RIGHT_DS_READ_PROP
  ADS_RIGHT_DS_WRITE_PROP
  ADS_RIGHT_DS_DELETE_TREE
  ADS_RIGHT_DS_LIST_OBJECT
  ADS_RIGHT_DS_CONTROL_ACCESS

However your's looks like:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
  ADS_RIGHT_READ_CONTROL
  ADS_RIGHT_DS_CREATE_CHILD
  ADS_RIGHT_ACTRL_DS_LIST
  ADS_RIGHT_DS_SELF
  ADS_RIGHT_DS_READ_PROP
  ADS_RIGHT_DS_WRITE_PROP
  ADS_RIGHT_DS_DELETE_TREE
  ADS_RIGHT_DS_LIST_OBJECT
  ADS_RIGHT_DS_CONTROL_ACCESS

I'm not sure exactly how that came to be. Try uninstalling and reinstalling?

You can download SddlParse (google it :) to parse out the Security Descriptor Definition Language.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • but i mention that visual studio cmd is running in admin mode – Saher Ahwal Aug 15 '12 at 22:15
  • You've changed the shortcut to `Run As Aministrator`? Also in the VS Command prompt type `sc sdshow MyService` and update your question with it's response. – Erik Philips Aug 15 '12 at 22:19
  • running this sc command I get the following: `D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)` – Saher Ahwal Aug 15 '12 at 22:32
  • I get this from regular cmd prompt run in admin mode: `D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)` – Saher Ahwal Aug 15 '12 at 23:44
-1

The "Access denied" message applies to the user trying to start the service, not the account in which the service is run.

Can you start the service from:

  1. the Services Control Panel applet?
  2. an elevated command prompt you started yourself (not from Visual Studio)?
CoreTech
  • 2,345
  • 2
  • 17
  • 24
  • then how can I run the service fine in LocalSystem mode? – Saher Ahwal Aug 15 '12 at 23:38
  • I also get access denied from the cmd prompt started by me – Saher Ahwal Aug 15 '12 at 23:44
  • How about from the Services applet? Not sure what you mean by "LocalSystem mode". You can have the service run in the LocalSystem account by selecting the top radio-button: http://www.coretechnologies.com/WindowsServices/services-control-panel-log-on-tab.jpg – CoreTech Aug 16 '12 at 04:02