ACCESS DENIED problem in Win2003 With Service App.

Posted on 2004-09-02
Medium Priority
Last Modified: 2010-04-05
I have a Service application which loads a Desktop app. (.EXE) which in turn loads a COM module (.DLL).  The Service app is set to log on as "Local System Account" and "Allow Service to Interact With Desktop" is checked.

In Windows 2000 this all works without any problems at all.  In Windows 2003 I get an "Access Denied" exeption when the COM module is loaded.

What do I have to do to make Win2003 accept this COM module?  I've authorized SYSTEM, SERVICE and LOCAL SERVICE, among others in the directory paths -- but no success so far.  What authorization is needed?  And where?
Question by:mfiring
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 13

Expert Comment

ID: 11968906
this seems to be a problem in .NET... unless you run with administrator privileges

see this:
Starting from a working system, I set the Archive flag off for the DLL for
which access was denied before.
I try to re-run the application : Access Denied.
I reset the Archive flag and re-run the application : Access Denied
I modify the dll phyiscally (with HEX editor, change a byte, change it back and save) and re-run the application : working again.

LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12010881
I had the same problem, but on a Win XP Pro system with Simple File Sharing off and a NTFS File system. The DNS Client service wouldn't start at all. I kept getting the same error as you "Error 5 : Access Denied". Changing from log on using NETWORK_SERVICE to "Local System Account" solved my problem. I later found out that the NETWORK_SERVICE Account did not have any permissions for the svchost.exe which loads the DNS Client service.

My suggestions:
Ensure that the account you are trying to "log on as" has full access to the calling app (refer "path to executable"). i.e. svchost in my case/example above.

If the calling app and/or the DLL being loaded needs access to any of the registry keys, ensure that the calling app (via your "log on as" account) has access to them too. i.e. Run regedit; Go to the relevant key; Click View; Click Edit permissions.

In conclusion:
The service app or DLL you are loading is probably trying to read/write to/from a file/folder or possibly the registry for which it (your "Log on as" account) does not have sufficient permissions set. Find it.

Hope this helps.


Author Comment

ID: 12011430
Thanks, PierreC.  It's the right track, but probably not the complete answer.

Apparently I'm forced to use "login as Local Account" because I need access to the Desktop.  If I log in as "Administrator", for example, the desktop programs' window handles are invisible to me since the services run in a separate desktop.  I need to check the  "Allow Service to Interact With Desktop" box -- and that's not available when you log on as a normal account.

So the question seems to be: What are the permissions available to "Login as Local Account" -- i.e., WHAT IS the "Local Account"?  I've enabled a variety of things such as SYSTEM, SERVICE, LOCAL SERVICE -- but none work.  It seems one has to find out what the "Local Account" is, what its permissions are, and if necessary how to modify them.  None of this is documented anywhere I have found so far.

Still searching.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12014985
Local Account is the one currently active if I'm not mistaken. I.e if I logged in with Username PierreC, then that would be the local account referred to.

Author Comment

ID: 12016489
I kind of suspected that.  At least it gives me access to the running programs on the desktop.  But it does deepen the mystery of why I get the ACCESS DENIED exception, since I log in as Administrator to the desktop.  I can monitor and restart programs that don't use COM objects, but the ones that do cause the exception.
LVL 14

Expert Comment

by:Pierre Cornelius
ID: 12016794
Have a look at your COM application and DCom Config permissions under component services.

Click Start; Run; Type mmc <ENTER>
Click File Add/Remove Snap-in
Click Add
Select Component Services; Click Add; Click Close
Click OK
Go to your relevant object; Right click and click on properties

There is probably a lot to look at, so good luck


Author Comment

ID: 12018620
PierreC -- again thanks.
I went to Component Services as you suggested -- it was new to me.  After reading the help file I tried several experiments.  First I added "everyone" to the global permissions for COM objects, thinking if that didn't do it nothing else would.  That didn't fix it.  Then, I added "everyone" to the .DLL's permissions and enabled "Full Control".  That didn't work either.  Of course I didn't restart the server after each change -- which Bill likes us to do.  (The server is busy serving, so I'm loathe to shut it down.)

I've found that the Web Edition of Win 2003, which I'm using, seems to have some defects relating to active directory.  For example, the POP server won't accept more than one account.  Maybe this Access Denied problem results from another of Microsoft's crippled and undocumented features in this version -- of which there are many.

It's odd that the problem-application discussed, above, a) works fine with windows 2000, and b) the program starts and loads the COM module without problems when started from the desktop, but not when started by a service, and c) It works on Win2003 for apps that don't load a COM module.  
LVL 14

Accepted Solution

Pierre Cornelius earned 2000 total points
ID: 12021298
Just thought of this:

The services are started with svchost.exe, right?

Do you have sufficient permissions to run svchost.exe? (Found in \SystemRoot\System32\ i think e.g. c:\Winnt\system32)


Author Comment

ID: 12022220
Apparently so.  The service runs just fine and is capable of starting/re-starting programs that do not have COM.  Also, the desktop is running as Administrator.

Author Comment

ID: 13346045
Thanks to all who responded. PierreC helped the most.

This problem, in common with many others in the Windows environment had to do with miserable documentation as much as anything else.  The problem was eventually solved by some kind of permission being granted, but I tried so many things that I can't say I remember the exact fix.  It took a long time.  The real solution will probably be to use Linux next time around.

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses
Course of the Month8 days, 20 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question