Service won't stop (Access Denied) with Server Operator access

[djhawthorn]

I have a service (called "Pervasive") running as a domain administrator account.

I log on as a user who's a member of the Server Operators group. This user can stop any service ("Print Spooler" for example), but can't stop this one "Pervasive" service. Is this because the service is running as a domain admin? (ie. someone with more access), or could there be another reason?

MCSE NT4/W2K

 

[netwalker1]

u got it ...
u don't have the privillage which make you stop the Domain Admin services ...

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[djhawthorn]

I changed the service to run as the local system account, to no effect - I still couldnt stop the service as the user.

Someone with "Server Operator" membership should be able to stop services - indeed, they can stop any other service. Just not this one...

Must be something else, but the permissions on the registry keys seem to be fine.

MCSE NT4/W2K

 

[netwalker1]

Can the administrator stop it ?

if yes , check the service source - maybe it depends on a file which is not accessable to all users ?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[djhawthorn]

The service is running an application (which everyone has access to) via the srvany.exe make-an-application-a-service controller - its in C:\winnt\system32\.

I'll need to check, but I'm sure the user has at least read access to the srvany.exe file.

MCSE NT4/W2K

 

[djhawthorn]

Yes, a domain administrator can stop it.

I set "full control" permissions on the following:

C:\winnt\system32\srvany.exe (previously modify only)
The application files (previously modify only)
The registry key HKLM\System\CurrentControlSet\Services\<Pervasive Service>\ and all subkeys (previously modify only)

And I still can't stop the service as this user... same error.

MCSE NT4/W2K

 

[djhawthorn]

More information: I ran a subinacl query against the service, and I find the following (when running as a domain admin):

/control=0x0
/owner             =system
/primary group     =system
/audit ace count   =1
/aace =everyone         SYSTEM_AUDIT_ACE_TYPE-0x2
        FAILED_ACCESS_ACE_FLAG-0x80    FAILED_ACCESS_ACE_FLAG-0x0x80
        SERVICE_ALL_ACCESS
/perm. ace count   =4
/pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
        SERVICE_QUERY_CONFIG-0x1           SERVICE_QUERY_STATUS-0x4           SERVICE_ENUMERATE_DEPEND-0x8
        SERVICE_START-0x10                 SERVICE_STOP-0x20                  SERVICE_PAUSE_CONTINUE-0x40        SERVICE_INTERROGATE-0x80
        READ_CONTROL-0x20000               SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
        SERVICE_ALL_ACCESS
/pace =authenticated users      ACCESS_ALLOWED_ACE_TYPE-0x0
        SERVICE_QUERY_CONFIG-0x1           SERVICE_QUERY_STATUS-0x4           SERVICE_ENUMERATE_DEPEND-0x8
        SERVICE_INTERROGATE-0x80           READ_CONTROL-0x20000               SERVICE_USER_DEFINED_CONTROL-0x0100
/pace =builtin\server operators         ACCESS_ALLOWED_ACE_TYPE-0x0
        SERVICE_ALL_ACCESS

Which shows the server operators group as having all access. If I run the same query as the server operator user though, I get this:

SeSecurityPrivilege : Access is denied.

WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be required.
Error OpenSCManager : Access is denied.

If I explicitly set the user to have all_access (full control), I still get the same error. So the problem doesn't appear to be with the service itself... Anyone know where else I might be able to look?

MCSE NT4/W2K

 

[netwalker1]

can you create another service with the same parameter but put srvany.exe in a folder directly on C:\

And try again ...


Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[djhawthorn]

Seems to work if the srvany.exe is in the root of C:\...

Viewing permissions on the C:\winnt\system32\ copy server administrators have modify access, though it tells me I only have permission to view the security attributes.

MCSE NT4/W2K

 

[djhawthorn]

Change access to full control doesn't help though (sorry for the double post). Still can't start/stop the service.

MCSE NT4/W2K

 

[netwalker1]

if it work if the srvany.exe at C:
this means that the directory you are putting the srvany.exe inside is the problem ( access problem , privillage problem , ... )



Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[teckystuff]

Does this service have any dependents?

*****************************************
Your mouse has moved - reboot for changes to take effect

 

[djhawthorn]

No, no dependents.

And as I say, its not access to the file; Server Operators have change control to srvany.exe. Changing it to full control doesnt make a difference - they still can't control the service.

I think its something we did after the service was installed that has screwed it up somehow. Making a second service doesn't seem to have the problem. I'm thinking we may need to delete and recreate the service, but that means doing it about 20 times on different servers. Would rather get to the bottom of "why" its happening.

What happens if I were to delete the "SECURITY" subkey under HKLM\System\CurrentControlSet\Services\Pervasive\?

MCSE NT4/W2K