ACCESS DENIED problem in Win2003 With Service App.

Posted on 2004-09-02
Last Modified: 2010-04-05
I have a Service application which loads a Desktop app. (.EXE) which in turn loads a COM module (.DLL).  The Service app is set to log on as "Local System Account" and "Allow Service to Interact With Desktop" is checked.

In Windows 2000 this all works without any problems at all.  In Windows 2003 I get an "Access Denied" exeption when the COM module is loaded.

What do I have to do to make Win2003 accept this COM module?  I've authorized SYSTEM, SERVICE and LOCAL SERVICE, among others in the directory paths -- but no success so far.  What authorization is needed?  And where?
Question by:mfiring
  • 5
  • 4
LVL 13

Expert Comment

ID: 11968906
this seems to be a problem in .NET... unless you run with administrator privileges

see this:
Starting from a working system, I set the Archive flag off for the DLL for
which access was denied before.
I try to re-run the application : Access Denied.
I reset the Archive flag and re-run the application : Access Denied
I modify the dll phyiscally (with HEX editor, change a byte, change it back and save) and re-run the application : working again.
LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12010881
I had the same problem, but on a Win XP Pro system with Simple File Sharing off and a NTFS File system. The DNS Client service wouldn't start at all. I kept getting the same error as you "Error 5 : Access Denied". Changing from log on using NETWORK_SERVICE to "Local System Account" solved my problem. I later found out that the NETWORK_SERVICE Account did not have any permissions for the svchost.exe which loads the DNS Client service.

My suggestions:
Ensure that the account you are trying to "log on as" has full access to the calling app (refer "path to executable"). i.e. svchost in my case/example above.

If the calling app and/or the DLL being loaded needs access to any of the registry keys, ensure that the calling app (via your "log on as" account) has access to them too. i.e. Run regedit; Go to the relevant key; Click View; Click Edit permissions.

In conclusion:
The service app or DLL you are loading is probably trying to read/write to/from a file/folder or possibly the registry for which it (your "Log on as" account) does not have sufficient permissions set. Find it.

Hope this helps.


Author Comment

ID: 12011430
Thanks, PierreC.  It's the right track, but probably not the complete answer.

Apparently I'm forced to use "login as Local Account" because I need access to the Desktop.  If I log in as "Administrator", for example, the desktop programs' window handles are invisible to me since the services run in a separate desktop.  I need to check the  "Allow Service to Interact With Desktop" box -- and that's not available when you log on as a normal account.

So the question seems to be: What are the permissions available to "Login as Local Account" -- i.e., WHAT IS the "Local Account"?  I've enabled a variety of things such as SYSTEM, SERVICE, LOCAL SERVICE -- but none work.  It seems one has to find out what the "Local Account" is, what its permissions are, and if necessary how to modify them.  None of this is documented anywhere I have found so far.

Still searching.
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12014985
Local Account is the one currently active if I'm not mistaken. I.e if I logged in with Username PierreC, then that would be the local account referred to.

Author Comment

ID: 12016489
I kind of suspected that.  At least it gives me access to the running programs on the desktop.  But it does deepen the mystery of why I get the ACCESS DENIED exception, since I log in as Administrator to the desktop.  I can monitor and restart programs that don't use COM objects, but the ones that do cause the exception.
LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12016794
Have a look at your COM application and DCom Config permissions under component services.

Click Start; Run; Type mmc <ENTER>
Click File Add/Remove Snap-in
Click Add
Select Component Services; Click Add; Click Close
Click OK
Go to your relevant object; Right click and click on properties

There is probably a lot to look at, so good luck


Author Comment

ID: 12018620
PierreC -- again thanks.
I went to Component Services as you suggested -- it was new to me.  After reading the help file I tried several experiments.  First I added "everyone" to the global permissions for COM objects, thinking if that didn't do it nothing else would.  That didn't fix it.  Then, I added "everyone" to the .DLL's permissions and enabled "Full Control".  That didn't work either.  Of course I didn't restart the server after each change -- which Bill likes us to do.  (The server is busy serving, so I'm loathe to shut it down.)

I've found that the Web Edition of Win 2003, which I'm using, seems to have some defects relating to active directory.  For example, the POP server won't accept more than one account.  Maybe this Access Denied problem results from another of Microsoft's crippled and undocumented features in this version -- of which there are many.

It's odd that the problem-application discussed, above, a) works fine with windows 2000, and b) the program starts and loads the COM module without problems when started from the desktop, but not when started by a service, and c) It works on Win2003 for apps that don't load a COM module.  
LVL 14

Accepted Solution

Pierre Cornelius earned 500 total points
ID: 12021298
Just thought of this:

The services are started with svchost.exe, right?

Do you have sufficient permissions to run svchost.exe? (Found in \SystemRoot\System32\ i think e.g. c:\Winnt\system32)


Author Comment

ID: 12022220
Apparently so.  The service runs just fine and is capable of starting/re-starting programs that do not have COM.  Also, the desktop is running as Administrator.

Author Comment

ID: 13346045
Thanks to all who responded. PierreC helped the most.

This problem, in common with many others in the Windows environment had to do with miserable documentation as much as anything else.  The problem was eventually solved by some kind of permission being granted, but I tried so many things that I can't say I remember the exact fix.  It took a long time.  The real solution will probably be to use Linux next time around.

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TVirtualStringTree  search using TEdit 7 121
QRReport  TQrmemo vertical stretching 1 46
Dev express lookupcombo 3 28
Delphi: sending SMS on android platform 1 21
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question