1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Access Denied when trying to Start Service

Discussion in 'Software Development' started by bxf, Nov 24, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. bxf

    bxf Thread Starter

    Joined:
    Aug 6, 2004
    Messages:
    39
    I have a VB script that issues StartService. This works fine under XP. It also works under Win7, but only if I run it as Administrator. If I run it as a another user with Administrator rights, it fails with "Access Denied".

    Is there any way to use StartService without having to run as Administrator?

    Thanks for any input.
     
  2. Mumbodog

    Mumbodog

    Joined:
    Oct 3, 2007
    Messages:
    7,891
    I dont think so, user accounts with admin rights is different than the true Admin, this changed with Vista and carried forward to W7.

    You might try disabling UAC, see if it will run.

    .
     
  3. bxf

    bxf Thread Starter

    Joined:
    Aug 6, 2004
    Messages:
    39
    Thanks, Mumbodog. Yes, Turning off UAC enables me to start the service from the script. Unfortunately, to have a UAC change take effect, one has to restart, which means that I'd have to keep on running with UAC off. Still, this was an educational piece of information.

    While we're on the subject of UAC: I'm "sure" that somebody somewhere must have raised the question of why MS didn't implement the concept of a "Trusted Application", so that one could flag selected programs as being SAFE, and hence candidates for bypassing UAC. Is there an answer to such a question?
     
  4. Mumbodog

    Mumbodog

    Joined:
    Oct 3, 2007
    Messages:
    7,891
    MS is always behind the times, plain and simple.

    It was an attempt by Microsoft to make their OS more like OSX, so they came up with the half baked Idea of UAC to keep malware from getting on the system instead of a complete rewrite of the OS to rid it of things like the registry and Dll's. It backfired of course. They tamed down UAC in Windows 7 somewhat.

    I use the hidden admin account in Vista and W7, does away with all the nonsense of the regular user account, makes it more like XP.



    .
     
  5. bxf

    bxf Thread Starter

    Joined:
    Aug 6, 2004
    Messages:
    39
    OK, UAC is a nuisance, but it does provide a certain level of protection. Whether or not that protection level justifies the nuisance level is another question.

    What gets me, though, is that I would have thought that it is so simple to implement the SAFE program concept. Just one additional flag - in the Compatibility screen, for example - and then a simple check at the beginning of the UAC processing module (whatever it may be) that says something like "IF SAFE flag ON, EXIT".

    I suppose there may be non-obvious reasons why it could not have been done in such a simple way, but I wouldn't be surprised if there isn't.
     
  6. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    Not sure if you can call it simple, but Microsoft does provide for Trusted Applications:
    Trusted Application Deployment Overview

    You can also use the Elevate Powertoy to let your scripts prompt for elevation when needed, or use it at the start to prompt once, then edit the registry to change the UAC mode to not prompt, then set it back when the script finishes.

    Change ConsentPromptBehaviorAdmin located here to zero:
    Code:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    You can first save the value (usually 2), use this script to change it to zero, then run your script. When done, simply restore the original value using a standard registry write command.
    This is in VBScript (Windows Script Host) but VB.NET should be the same or similar:
    Code:
    Set objShell = CreateObject("Shell.Application")
    StrApplication = "C:\WINDOWS\system32\cmd.exe"
    StrCmdLine = "/S /C ""Reg Add ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /V ConsentPromptBehaviorAdmin /T REG_DWORD /D 0 /F"""
    objShell.ShellExecute strApplication, strCmdLine, "", "runas", 0
    
    You'll be prompted once with UAC, but after that, you won't be prompted again. You do get a pop-up from the notification area to check UAC settings, but that can be ignored.
     
  7. bxf

    bxf Thread Starter

    Joined:
    Aug 6, 2004
    Messages:
    39
    Thanks Outcaste.

    The discussion about Trusted Applications is way too complex, at least for my present state of mind:eek: However, the ELEVATE command works perfectly for my purposes.

    Not that it matters, but the value I have in ConsentPromptBehaviorAdmin is "5" - don't know what it means vs a "2".

    I should mention that rather than use "REG ADD", all I had to do is the following:

    RegPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
    objgReg.GetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", saveCPBA
    objgReg.SetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", 0

    ...Start Service...

    objgReg.SetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", saveCPBA

    The script is subsequently invoked as : elevate wscript ""<path to script>""

    Works as required:)

    Thanks again.
     
  8. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    You're Welcome
    Don't know what 5 would be either, I've only seen 0, 1, and 2 mentioned as settings.
    http://msdn.microsoft.com/en-us/library/cc232761(PROT.13).aspx

    Might be the same as a 1 when looked at in binary, assuming it only looks at the last two bits::
    5=101
    If someone manually edited that key, might just be a typo; easy to hit a 5 instead of a 2 on the numeric keypad.
    A 1 requires even an Admin account to enter a username and password, rather than just clicking a continue button.

    Thanks for the VB code; I've only used this method for allowing a batch file to run elevated, so used Reg Add as I'm much more familiar with batch than VB/WSH
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/880120