Cannot Start Windows Service in NetworkService account

Asked 15/8, 2012 at 22:9 Answered 16/8, 2012 at 8:44

Solved c#.net windows-services network-service

I have a windows service project implementation that I am trying to install as network service.

process = new ServiceProcessInstaller();
process.Account = ServiceAccount.NetworkService;

however whenever I try to start the service I get :

System error 5 has occurred.

Access is denied.

This comes after running the net start MyService command in the visual studio command prompt which is running as administrator by the way.

Any help on how to get this to work? Thanks.

Neill answered 15/8, 2012 at 22:9 Comment(5)

Check the installation path, make sure that the NetworkService user account has all the privileges required by your service and that the folder has permissions for execution for NS user. Try putting a Debug.Break on the first line of the Windows Service OnStart method. Is it being hit? – Indecent 15/8, 2012 at 22:40

no, the main method is not even being hit – Neill 15/8, 2012 at 22:44

Did you add permissions for NS user in that folder? Does it have "ticks" for Allow Execution? – Indecent 15/8, 2012 at 22:48

@oleksii: I am just new to this windows service stuff so I am not sure I understand what you are talking about – Neill 15/8, 2012 at 23:48

@oleksii: do you want to add an answer? – Neill 15/8, 2012 at 23:48

I would check that the Network Service account has permissions to execute. Steps to check:

In Windows explorer go to the folder containing the binaries of the service
Right-click on the folder > Properties > Security tab > Edit button
Add > "NETWORK SERVICE" > OK
Give it full control (just to test and then reduce permissions till it working)

screenshot

Indecent answered 16/8, 2012 at 8:44 Comment(4)

In My case above steps are not working. I have given the full rights to the Network service account and when I start service got error message "Some services stop automatically if they are not in use by other services or programs." – Milurd 19/7, 2013 at 12:27

@Milurd that's your inner exception. Not the absence of rights of Network Service. – Greenlee 11/7, 2015 at 14:32

Is there a way to do this from the CLI? – Examination 12/11, 2017 at 1:53

@Examination I believe there is a way. See this article: techrepublic.com/article/…. If you figure it out, could you please update my answer with the details of the command and parameters? Thanks. – Indecent 12/11, 2017 at 22:46

Your Net Start MyService is probably not running with escalated privileges. Your command requires (I believe) Administrative Privileges.

Update

Not sure why, but your privileges on your service are weird. By default privileges of services should look like:

D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
  ADS_RIGHT_DELETE
  ADS_RIGHT_READ_CONTROL
  ADS_RIGHT_WRITE_DAC
  ADS_RIGHT_WRITE_OWNER
  ADS_RIGHT_DS_CREATE_CHILD
  ADS_RIGHT_DS_DELETE_CHILD
  ADS_RIGHT_ACTRL_DS_LIST
  ADS_RIGHT_DS_SELF
  ADS_RIGHT_DS_READ_PROP
  ADS_RIGHT_DS_WRITE_PROP
  ADS_RIGHT_DS_DELETE_TREE
  ADS_RIGHT_DS_LIST_OBJECT
  ADS_RIGHT_DS_CONTROL_ACCESS

However your's looks like:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
  ADS_RIGHT_READ_CONTROL
  ADS_RIGHT_DS_CREATE_CHILD
  ADS_RIGHT_ACTRL_DS_LIST
  ADS_RIGHT_DS_SELF
  ADS_RIGHT_DS_READ_PROP
  ADS_RIGHT_DS_WRITE_PROP
  ADS_RIGHT_DS_DELETE_TREE
  ADS_RIGHT_DS_LIST_OBJECT
  ADS_RIGHT_DS_CONTROL_ACCESS

I'm not sure exactly how that came to be. Try uninstalling and reinstalling?

You can download SddlParse (google it :) to parse out the Security Descriptor Definition Language.

Ozenfant answered 15/8, 2012 at 22:14 Comment(4)

but i mention that visual studio cmd is running in admin mode – Neill 15/8, 2012 at 22:15

You've changed the shortcut to Run As Aministrator? Also in the VS Command prompt type sc sdshow MyService and update your question with it's response. – Ozenfant 15/8, 2012 at 22:19

running this sc command I get the following:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

– Neill 15/8, 2012 at 22:32

I get this from regular cmd prompt run in admin mode:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

– Neill 15/8, 2012 at 23:44

-1

The "Access denied" message applies to the user trying to start the service, not the account in which the service is run.

Can you start the service from:

the Services Control Panel applet?
an elevated command prompt you started yourself (not from Visual Studio)?

Trovillion answered 15/8, 2012 at 23:29 Comment(3)

then how can I run the service fine in LocalSystem mode? – Neill 15/8, 2012 at 23:38

I also get access denied from the cmd prompt started by me – Neill 15/8, 2012 at 23:44

How about from the Services applet? Not sure what you mean by "LocalSystem mode". You can have the service run in the LocalSystem account by selecting the top radio-button: coretechnologies.com/WindowsServices/… – Trovillion 16/8, 2012 at 4:2

Recommended topics

Hot tags