When giving a Universal Naming Convention (UNC) name to CreateService(),
the call succeeds, but the service start fails with ERROR_ACCESSS_DENIED
(5). This error will only occur if the service is specified to run in the
LocalSystem account.
Back to the top
The Service Control Manager calls CreateProcess() to start the service. If
the service is specified to run in a user account, the Service Control
Manager impersonates the user before calling CreateProcess(). If the
service is specified to run in the LocalSystem account, the Service Control
Manager runs in the LocalSystem security context. When you call
CreateProcess() with a UNC name from a process running in the LocalSystem
context, you get ERROR_ACCESS_DENIED. This is because LocalSystem has
restricted (less than guest) access to remote machines. A null session is
set up for LocalSystem remote access, which has reduced rights.
Back to the top
There are three possible solutions:
| • | Run the service from a user account which has access to the UNC share.
-or-
|
| • | When specifying the fully qualified path to the service binary file,
do not use a UNC name. It may be desirable to copy the service binary
file to the local machine. This has the added benefit that the service
will no longer be dependent on network operations.
-or-
|
| • | If the service binary is on, add SHARENAME to
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\
Services\
LanmanServer\
Parameters\
NullSessionShares
on MACHINEA. This will let requests to access this share from null
sessions succeed.
WARNING: This will allow everyone access to the share. If you want to
maintain security for the share, create an account with the access
required. |
Back to the top
Help and Support
