Home / server / Questions / 646976
In Process
Schneider
Asked: 2014-11-26 08:29:09 +0800 CST

"Access is denied" when trying to start service even when running Administrator/elevated

  • 772

I'm using sc start "MyService" from an elevated "Administrator: Command Prompt" but am getting the following error:

[SC] StartService FAILED 5:

Access is denied.

For completeness, the error when you try to run it from the GUI (services.msc) is:

Error 5: Access is denied

As it's a .NET service, it was installed using InstallUtil.exe (run as Administrator). The service is configured to run as NETWORK SERVICE but I have also tried it with LOCAL SERVICE.

windows-service

2 Answers

  1. This was due to the fact by default neither the NETWORK SERVICE or LOCAL SERVICE have permissions to read from the directory where my service executable resides. I needed to grant them read privileges on the folder (at the very least).

    • 2

  2. I came across this exact problem, but was dismayed not to find a clear set of instructions in the answers for fixing it, so here are mine:

    Quick and dirty

    The simplest solution is to simply ensure that the application you are installing a service for (in my concrete example, Tor) is located somewhere NT AUTHORITY\LOCAL SERVICE is allowed to read -- an example being C:\Tor\ -- before running the commands.

    Personally I despise solutions like these.

    Cleaner, more educational, and more tedious

    I put Tor in $env:UserProfile\AppData\Local\Programs, myself so here is what I did on Windows 10 using an elevated PowerShell terminal:

    PS C:\Users\User\AppData\Local\Programs>$fsar = New-Object 
System.Security.AccessControl.FileSystemAccessRule(`
>> "NT AUTHORITY\LOCAL SERVICE",`
>> "ReadAndExecute",`
>> "ContainerInherit,ObjectInherit",`
>> "InheritOnly",`
>> "Allow")

    This creates a FileSystemAccessRule (which I refer to as $fsar in the code) that allows the IdentityReference of "NT AUTHORITY\LOCAL SERVICE" to read and execute (and synchronize, a side-effect of that) any file/folder the rule is applied to and its children through the inheritance flags "ContainerInherit,ObjectInherit" in combination with the PropagationFlag "InheritOnly". "Allow" sets the rule to allow (any denial applied would override it, but this is unlikely to come up).

    Now we want to apply this access rule to the folder we installed Tor in. The first step gets an existing ACL (so we don't mess up whatever was there in the first place) using Get-Acl. The second step simply adds that access rule to the object we stored in a variable. The third step feeds the access control list we modified into the command Set-Acl which we also supply with the path for our Tor-containing-folder.

    PS C:\Users\User\AppData\Local\Programs>$torFolderAcl = Get-Acl .\MyTorFolder
PS C:\Users\User\AppData\Local\Programs>$torFolderAcl.AddAccessRule($fsar)
PS C:\Users\User\AppData\Local\Programs>$torFolderAcl | Set-Acl .\MyTorFolder

    You should be able to navigate to where in the folder structure your tor.exe file is, and execute the command after this.

    Tor-only-stuff

    For those not in the know, there is a shortcut built in that lets you do this without using sc directly or any other service application.

    If you want to store the torrc file somewhere specific and have the service use it, you can use this to install the service:

    PS C:\Users\User\AppData\Local\Programs\MyTorFolder>.\tor.exe --service install -options -f $pathToTorrc

    If you, like myself, was expecting the above to work without any problems before you realized there were tedious access control issues, then you probably just want to run this:

    PS C:\Users\User\AppData\Local\Programs\MyTorFolder>.\tor.exe --service start

    I hope at least one or two people will draw some benefit from this additional answer. If not, I'm sure I'll be back here in a year or two and use it myself when I inevitably forget how I did this the first time around...

    • 1