ACCESS DENIED problem in Win2003 With Service App.

Posted on 2004-09-02
Medium Priority
Last Modified: 2010-04-05
I have a Service application which loads a Desktop app. (.EXE) which in turn loads a COM module (.DLL).  The Service app is set to log on as "Local System Account" and "Allow Service to Interact With Desktop" is checked.

In Windows 2000 this all works without any problems at all.  In Windows 2003 I get an "Access Denied" exeption when the COM module is loaded.

What do I have to do to make Win2003 accept this COM module?  I've authorized SYSTEM, SERVICE and LOCAL SERVICE, among others in the directory paths -- but no success so far.  What authorization is needed?  And where?
Question by:mfiring
  • 5
  • 4
LVL 13

Expert Comment

ID: 11968906
this seems to be a problem in .NET... unless you run with administrator privileges

see this:
Starting from a working system, I set the Archive flag off for the DLL for
which access was denied before.
I try to re-run the application : Access Denied.
I reset the Archive flag and re-run the application : Access Denied
I modify the dll phyiscally (with HEX editor, change a byte, change it back and save) and re-run the application : working again.

LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12010881
I had the same problem, but on a Win XP Pro system with Simple File Sharing off and a NTFS File system. The DNS Client service wouldn't start at all. I kept getting the same error as you "Error 5 : Access Denied". Changing from log on using NETWORK_SERVICE to "Local System Account" solved my problem. I later found out that the NETWORK_SERVICE Account did not have any permissions for the svchost.exe which loads the DNS Client service.

My suggestions:
Ensure that the account you are trying to "log on as" has full access to the calling app (refer "path to executable"). i.e. svchost in my case/example above.

If the calling app and/or the DLL being loaded needs access to any of the registry keys, ensure that the calling app (via your "log on as" account) has access to them too. i.e. Run regedit; Go to the relevant key; Click View; Click Edit permissions.

In conclusion:
The service app or DLL you are loading is probably trying to read/write to/from a file/folder or possibly the registry for which it (your "Log on as" account) does not have sufficient permissions set. Find it.

Hope this helps.


Author Comment

ID: 12011430
Thanks, PierreC.  It's the right track, but probably not the complete answer.

Apparently I'm forced to use "login as Local Account" because I need access to the Desktop.  If I log in as "Administrator", for example, the desktop programs' window handles are invisible to me since the services run in a separate desktop.  I need to check the  "Allow Service to Interact With Desktop" box -- and that's not available when you log on as a normal account.

So the question seems to be: What are the permissions available to "Login as Local Account" -- i.e., WHAT IS the "Local Account"?  I've enabled a variety of things such as SYSTEM, SERVICE, LOCAL SERVICE -- but none work.  It seems one has to find out what the "Local Account" is, what its permissions are, and if necessary how to modify them.  None of this is documented anywhere I have found so far.

Still searching.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12014985
Local Account is the one currently active if I'm not mistaken. I.e if I logged in with Username PierreC, then that would be the local account referred to.

Author Comment

ID: 12016489
I kind of suspected that.  At least it gives me access to the running programs on the desktop.  But it does deepen the mystery of why I get the ACCESS DENIED exception, since I log in as Administrator to the desktop.  I can monitor and restart programs that don't use COM objects, but the ones that do cause the exception.
LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12016794
Have a look at your COM application and DCom Config permissions under component services.

Click Start; Run; Type mmc <ENTER>
Click File Add/Remove Snap-in
Click Add
Select Component Services; Click Add; Click Close
Click OK
Go to your relevant object; Right click and click on properties

There is probably a lot to look at, so good luck


Author Comment

ID: 12018620
PierreC -- again thanks.
I went to Component Services as you suggested -- it was new to me.  After reading the help file I tried several experiments.  First I added "everyone" to the global permissions for COM objects, thinking if that didn't do it nothing else would.  That didn't fix it.  Then, I added "everyone" to the .DLL's permissions and enabled "Full Control".  That didn't work either.  Of course I didn't restart the server after each change -- which Bill likes us to do.  (The server is busy serving, so I'm loathe to shut it down.)

I've found that the Web Edition of Win 2003, which I'm using, seems to have some defects relating to active directory.  For example, the POP server won't accept more than one account.  Maybe this Access Denied problem results from another of Microsoft's crippled and undocumented features in this version -- of which there are many.

It's odd that the problem-application discussed, above, a) works fine with windows 2000, and b) the program starts and loads the COM module without problems when started from the desktop, but not when started by a service, and c) It works on Win2003 for apps that don't load a COM module.  
LVL 14

Accepted Solution

Pierre Cornelius earned 2000 total points
ID: 12021298
Just thought of this:

The services are started with svchost.exe, right?

Do you have sufficient permissions to run svchost.exe? (Found in \SystemRoot\System32\ i think e.g. c:\Winnt\system32)


Author Comment

ID: 12022220
Apparently so.  The service runs just fine and is capable of starting/re-starting programs that do not have COM.  Also, the desktop is running as Administrator.

Author Comment

ID: 13346045
Thanks to all who responded. PierreC helped the most.

This problem, in common with many others in the Windows environment had to do with miserable documentation as much as anything else.  The problem was eventually solved by some kind of permission being granted, but I tried so many things that I can't say I remember the exact fix.  It took a long time.  The real solution will probably be to use Linux next time around.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
Integration Management Part 2
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question