Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Software Development Software Development
Search Search
Search for:
Tech Support Guy > > >

Solved: Access Denied when trying to Start Service


(!)

bxf's Avatar
bxf bxf is offline
Member with 39 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
24-Nov-2009, 03:56 PM #1
Solved: Access Denied when trying to Start Service
I have a VB script that issues StartService. This works fine under XP. It also works under Win7, but only if I run it as Administrator. If I run it as a another user with Administrator rights, it fails with "Access Denied".

Is there any way to use StartService without having to run as Administrator?

Thanks for any input.
Mumbodog's Avatar
Member with 7,891 posts.
 
Join Date: Oct 2007
Experience: Advanced
24-Nov-2009, 07:34 PM #2
I dont think so, user accounts with admin rights is different than the true Admin, this changed with Vista and carried forward to W7.

You might try disabling UAC, see if it will run.

.
bxf's Avatar
bxf bxf is offline
Member with 39 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
24-Nov-2009, 09:30 PM #3
Thanks, Mumbodog. Yes, Turning off UAC enables me to start the service from the script. Unfortunately, to have a UAC change take effect, one has to restart, which means that I'd have to keep on running with UAC off. Still, this was an educational piece of information.

While we're on the subject of UAC: I'm "sure" that somebody somewhere must have raised the question of why MS didn't implement the concept of a "Trusted Application", so that one could flag selected programs as being SAFE, and hence candidates for bypassing UAC. Is there an answer to such a question?
Mumbodog's Avatar
Member with 7,891 posts.
 
Join Date: Oct 2007
Experience: Advanced
24-Nov-2009, 09:56 PM #4
MS is always behind the times, plain and simple.

It was an attempt by Microsoft to make their OS more like OSX, so they came up with the half baked Idea of UAC to keep malware from getting on the system instead of a complete rewrite of the OS to rid it of things like the registry and Dll's. It backfired of course. They tamed down UAC in Windows 7 somewhat.

I use the hidden admin account in Vista and W7, does away with all the nonsense of the regular user account, makes it more like XP.



.
bxf's Avatar
bxf bxf is offline
Member with 39 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
24-Nov-2009, 10:15 PM #5
OK, UAC is a nuisance, but it does provide a certain level of protection. Whether or not that protection level justifies the nuisance level is another question.

What gets me, though, is that I would have thought that it is so simple to implement the SAFE program concept. Just one additional flag - in the Compatibility screen, for example - and then a simple check at the beginning of the UAC processing module (whatever it may be) that says something like "IF SAFE flag ON, EXIT".

I suppose there may be non-obvious reasons why it could not have been done in such a simple way, but I wouldn't be surprised if there isn't.
TheOutcaste's Avatar
Computer Specs
Member with 9,028 posts.
 
Join Date: Aug 2007
Location: Oregon, USA
Experience: Intermediate
27-Nov-2009, 01:02 PM #6
Not sure if you can call it simple, but Microsoft does provide for Trusted Applications:
Trusted Application Deployment Overview

You can also use the Elevate Powertoy to let your scripts prompt for elevation when needed, or use it at the start to prompt once, then edit the registry to change the UAC mode to not prompt, then set it back when the script finishes.

Change ConsentPromptBehaviorAdmin located here to zero:
Code:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
You can first save the value (usually 2), use this script to change it to zero, then run your script. When done, simply restore the original value using a standard registry write command.
This is in VBScript (Windows Script Host) but VB.NET should be the same or similar:
Code:
Set objShell = CreateObject("Shell.Application")
StrApplication = "C:\WINDOWS\system32\cmd.exe"
StrCmdLine = "/S /C ""Reg Add ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /V ConsentPromptBehaviorAdmin /T REG_DWORD /D 0 /F"""
objShell.ShellExecute strApplication, strCmdLine, "", "runas", 0
You'll be prompted once with UAC, but after that, you won't be prompted again. You do get a pop-up from the notification area to check UAC settings, but that can be ignored.
bxf's Avatar
bxf bxf is offline
Member with 39 posts.
THREAD STARTER
 
Join Date: Aug 2004
Experience: Intermediate
27-Nov-2009, 10:04 PM #7
Thumbs up It works!
Thanks Outcaste.

The discussion about Trusted Applications is way too complex, at least for my present state of mind However, the ELEVATE command works perfectly for my purposes.

Not that it matters, but the value I have in ConsentPromptBehaviorAdmin is "5" - don't know what it means vs a "2".

I should mention that rather than use "REG ADD", all I had to do is the following:

RegPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
objgReg.GetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", saveCPBA
objgReg.SetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", 0

...Start Service...

objgReg.SetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", saveCPBA

The script is subsequently invoked as : elevate wscript ""<path to script>""

Works as required

Thanks again.
TheOutcaste's Avatar
Computer Specs
Member with 9,028 posts.
 
Join Date: Aug 2007
Location: Oregon, USA
Experience: Intermediate
28-Nov-2009, 05:16 PM #8
You're Welcome
Don't know what 5 would be either, I've only seen 0, 1, and 2 mentioned as settings.
http://msdn.microsoft.com/en-us/libr...ROT.13%29.aspx

Might be the same as a 1 when looked at in binary, assuming it only looks at the last two bits::
5=101
If someone manually edited that key, might just be a typo; easy to hit a 5 instead of a 2 on the numeric keypad.
A 1 requires even an Admin account to enter a username and password, rather than just clicking a continue button.

Thanks for the VB code; I've only used this method for allowing a batch file to run elevated, so used Reg Add as I'm much more familiar with batch than VB/WSH
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑