ACCESS DENIED problem in Win2003 With Service App.

Posted on 2004-09-02
Last Modified: 2010-04-05
I have a Service application which loads a Desktop app. (.EXE) which in turn loads a COM module (.DLL).  The Service app is set to log on as "Local System Account" and "Allow Service to Interact With Desktop" is checked.

In Windows 2000 this all works without any problems at all.  In Windows 2003 I get an "Access Denied" exeption when the COM module is loaded.

What do I have to do to make Win2003 accept this COM module?  I've authorized SYSTEM, SERVICE and LOCAL SERVICE, among others in the directory paths -- but no success so far.  What authorization is needed?  And where?
Question by:mfiring
  • 5
  • 4
LVL 13

Expert Comment

ID: 11968906
this seems to be a problem in .NET... unless you run with administrator privileges

see this:
Starting from a working system, I set the Archive flag off for the DLL for
which access was denied before.
I try to re-run the application : Access Denied.
I reset the Archive flag and re-run the application : Access Denied
I modify the dll phyiscally (with HEX editor, change a byte, change it back and save) and re-run the application : working again.
LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12010881
I had the same problem, but on a Win XP Pro system with Simple File Sharing off and a NTFS File system. The DNS Client service wouldn't start at all. I kept getting the same error as you "Error 5 : Access Denied". Changing from log on using NETWORK_SERVICE to "Local System Account" solved my problem. I later found out that the NETWORK_SERVICE Account did not have any permissions for the svchost.exe which loads the DNS Client service.

My suggestions:
Ensure that the account you are trying to "log on as" has full access to the calling app (refer "path to executable"). i.e. svchost in my case/example above.

If the calling app and/or the DLL being loaded needs access to any of the registry keys, ensure that the calling app (via your "log on as" account) has access to them too. i.e. Run regedit; Go to the relevant key; Click View; Click Edit permissions.

In conclusion:
The service app or DLL you are loading is probably trying to read/write to/from a file/folder or possibly the registry for which it (your "Log on as" account) does not have sufficient permissions set. Find it.

Hope this helps.


Author Comment

ID: 12011430
Thanks, PierreC.  It's the right track, but probably not the complete answer.

Apparently I'm forced to use "login as Local Account" because I need access to the Desktop.  If I log in as "Administrator", for example, the desktop programs' window handles are invisible to me since the services run in a separate desktop.  I need to check the  "Allow Service to Interact With Desktop" box -- and that's not available when you log on as a normal account.

So the question seems to be: What are the permissions available to "Login as Local Account" -- i.e., WHAT IS the "Local Account"?  I've enabled a variety of things such as SYSTEM, SERVICE, LOCAL SERVICE -- but none work.  It seems one has to find out what the "Local Account" is, what its permissions are, and if necessary how to modify them.  None of this is documented anywhere I have found so far.

Still searching.
LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12014985
Local Account is the one currently active if I'm not mistaken. I.e if I logged in with Username PierreC, then that would be the local account referred to.

Author Comment

ID: 12016489
I kind of suspected that.  At least it gives me access to the running programs on the desktop.  But it does deepen the mystery of why I get the ACCESS DENIED exception, since I log in as Administrator to the desktop.  I can monitor and restart programs that don't use COM objects, but the ones that do cause the exception.
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12016794
Have a look at your COM application and DCom Config permissions under component services.

Click Start; Run; Type mmc <ENTER>
Click File Add/Remove Snap-in
Click Add
Select Component Services; Click Add; Click Close
Click OK
Go to your relevant object; Right click and click on properties

There is probably a lot to look at, so good luck


Author Comment

ID: 12018620
PierreC -- again thanks.
I went to Component Services as you suggested -- it was new to me.  After reading the help file I tried several experiments.  First I added "everyone" to the global permissions for COM objects, thinking if that didn't do it nothing else would.  That didn't fix it.  Then, I added "everyone" to the .DLL's permissions and enabled "Full Control".  That didn't work either.  Of course I didn't restart the server after each change -- which Bill likes us to do.  (The server is busy serving, so I'm loathe to shut it down.)

I've found that the Web Edition of Win 2003, which I'm using, seems to have some defects relating to active directory.  For example, the POP server won't accept more than one account.  Maybe this Access Denied problem results from another of Microsoft's crippled and undocumented features in this version -- of which there are many.

It's odd that the problem-application discussed, above, a) works fine with windows 2000, and b) the program starts and loads the COM module without problems when started from the desktop, but not when started by a service, and c) It works on Win2003 for apps that don't load a COM module.  
LVL 14

Accepted Solution

Pierre Cornelius earned 500 total points
ID: 12021298
Just thought of this:

The services are started with svchost.exe, right?

Do you have sufficient permissions to run svchost.exe? (Found in \SystemRoot\System32\ i think e.g. c:\Winnt\system32)


Author Comment

ID: 12022220
Apparently so.  The service runs just fine and is capable of starting/re-starting programs that do not have COM.  Also, the desktop is running as Administrator.

Author Comment

ID: 13346045
Thanks to all who responded. PierreC helped the most.

This problem, in common with many others in the Windows environment had to do with miserable documentation as much as anything else.  The problem was eventually solved by some kind of permission being granted, but I tried so many things that I can't say I remember the exact fix.  It took a long time.  The real solution will probably be to use Linux next time around.

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now