When I try to start a service I created in Visual Studio I receive the following error:
System error 5 has occurred. Access is denied. I am running the command line with elevated privileges, so it's not that problem. Is there any place I can look to see what error is occuring.
To get it to work I needed to add permissions to the output bin\debug folder for my service project.
The Local Service account didn't have permissions to the output .exe file, and this was why the error was occuring.
Had the same issue.
Fixed by running the service under "Local System Account"
In my case the solution was even that simple: Run Command Prompt as administrator.
I see you've fixed the problem; but in reality, you shouldn't normally be running the service from a project's bin folder anyway - the files should be put somewhere project and profile independent (for example, under program files). For debugging purposes (when it will be in the bin folder), you can detect whether it is a service in Main(), and if it is being run interactively just run the service code directly, rather than the usual service-start setup.
You can detect either by adding a command line argument, or you can try checking Environment.UserInteractive.
The Local Services account doesn't seem to be privileged to control a service. So, in the service's LogOn Property, change the account type to Local System and allow service to interact with desktop.
Also, make sure that, you install the service using instalutil, as an administrator.
Lastly, when you want to run a service from the command prompt using the "net start [service name]" command, you have to run the command prompt as an administrator.
Do not simply start the service under a different username or admin. (Unless your service actually requires admin privileges of course!) This is a security hole and creates a bad user experience.
The actual issue is that the service hasn't been assigned any permissions in the first place.
However, it must be noted that Microsoft didn't exactly make Service permissions easy to change - they are similar to regular file permissions but unfortunately cannot be altered with a simple right click. They can however be altered on the command line.
Read via:
sc.exe sdshow <service name> And written via:
sc.exe sdset <service name> <permissions> <service name> is your service name.<permissions> is the permissions in SDDL format.So use sdshow to get the permissions, then sdset to update them with your requirement(s).
SDDL itself is a cacophony of seemingly random letters beyond the scope of this post. But, in short, adding the descriptor (A;;RPWP;;;WD) would allow (A) everyone (WD) to start (RP) and stop (WP) the named service.
I had the same problem because my project and its source code was in a folder that had NTFS's Encrypting File System (EFS) enabled. This caused by compiled assemblies being encrypted aswell and the user running my service didn't have permissions to decrypt them. Removing EFS was the easy solution for this. It can be done by command line using CIPHER.EXE, which is a Windows tool.
Run it from Task Scheduler with highest privileges and it will work.
I had the same problem when I migrated a service from vs05 to vs2010, from framework 2.0 till framework 4.0 at the same time. I got Access denied. As soon as a change back to framework 2.0 it worked again. The ?%¤#%&%& problem was that the initializing string for the service was incorrect (?!). The string expected quotes at the beginning and at the end!
Before....path + service name" "/parameter=1 ' this had worked with framework 2.0
After...."path + service name" "/parameter=1"
Access Denied has nothing to do with the problem. Why not "Path not found " or "missing parameter"
A user account with administrator rights will prompt “are you sure?” in situations where the administrator account is not prompted. I had this problem with net stop netprofm.
To remove the prompt do this.
Control Panel, User Accounts, Change User Account Control settings, never notify
This seems to provide the user account with admin rights the same behavior as a the administrator account.
Just ran into this issue after I had run an 'sc config' to change binPath of the service.
The only fix that worked for me was to 'sc delete' the service and install again.
Things worked perfectly after that.
I got similar problem with Jenkins-service: I was able to safe-shutdown Jenkins service via Jenkins cli-interface (while Jenkins was running), but was not able to start it again from command-line afterwards. The joke is: it doesn't work even with same user-account as configured for Jenkins-service to be used for automatic service startup on Windows start. Even more: when I was logging-in as administrator account - I was able to start/stop Jenkins-service via Services tab of Task-Manager, but was not able to do same from command-line without running it "As administrator". On other hand I don't like to add the user, who should start Jenkins, to administrators group. Also, in my case I can't ask user to accept the UAC message because my tasks are running as automation-scripts and should not make any user-interaction.
I was trying different possible solutions for long time (e.g. Scheduler with highest access rights, different commands/interfaces like usage of PowerShell, net, sc, jenkins.exe, cli interface of Jenkins, java, etc.), but nothing helps until I found a quite new article from Microsoft:
I've used the way with "Security Templates" described there. It has allowed me to add for concrete user the required rights to start & stop concrete service. Then it was possible to start/stop Jenkins from this user-account from command line without need to add user to administrators neither to run the terminal as administrator.
Additional hints regarding steps described in the article named above:
When "opening" a database - it means actually "create a new" database (it will be used as temporary storage). Correspondingly select your suitable name for the database-file and just click on "Open".
When you will be asked to import existing security template -> usually you can find them at following location:
%SystemRoot%\Security\Templates
Check the subfolder "policies" there.
Note: the imported template will be used as a "base" by storing of current PC configuration (during analysis phase) and later (when applying your changed back to PC) - will be also applied. Correspondingly - don't select template with many defined rules (if don't like to get them applied to your PC). If you don't have suitable template - you might need to create own simple template (and import it later by steps described in the article). See the description of how to create own template here:
