What's Actually Happening
Unable to start, stop, or manage Windows services. Access denied error when attempting service operations.
The Error You'll See
```powershell PS> Start-Service MyService
Start-Service : Service 'MyService' cannot be started due to the following error: Access is denied ```
Services MMC error:
Error 5: Access is deniedsc command error:
```cmd C:\> sc start MyService
[SC] OpenService FAILED 5: Access is denied ```
Task Manager error:
Unable to stop service. Access is denied.Why This Happens
- 1.Insufficient privileges - User not administrator
- 2.Service permissions - Service ACL restricts access
- 3.UAC blocking - User Account Control not elevated
- 4.Service account issue - Service account lacks rights
- 5.Group Policy - Policy restricts service management
- 6.Antivirus blocking - Security software interfering
Step 1: Run as Administrator
```powershell # Always run PowerShell as Administrator: # Right-click PowerShell -> Run as administrator
# Or from cmd: runas /user:Administrator cmd
# Check current user: whoami /all
# Check if admin: net localgroup administrators
# Your user should be in administrators group
# Verify elevated token: whoami /groups | findstr "S-1-16-12288"
# S-1-16-12288 = High integrity (elevated) # S-1-16-8192 = Medium integrity (not elevated)
# Restart PowerShell as admin and retry ```
Step 2: Check Service Permissions
```powershell # Get service security descriptor: sc.exe sdshow MyService
# Example output: # D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)...
# Permission codes: # A = Allow # CCLCSWRPWPDTLOCRRC = Generic Read # CCDCLCSWRPWPDTLOCRSDRCWDWO = Full Control
# Common SIDs: # SY = SYSTEM # BA = Built-in Administrators # BU = Built-in Users # AU = Authenticated Users
# View in more readable format: # Use Process Explorer or AccessChk: accesschk.exe -c MyService
# Check specific user access: accesschk.exe -c MyService -u username ```
Step 3: Modify Service Permissions
```powershell # Grant service control to user:
# Method 1: Using sc.exe: sc.exe sdset MyService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
# Method 2: Using SubInACL (from Resource Kit): subinacl.exe /service MyService /grant=username=F
# Method 3: Using PowerShell module: # Install: Install-Module -Name ServicePermissions
# Grant permission: Grant-ServicePermission -Name MyService -Account "DOMAIN\User" -Permission FullControl
# Grant start/stop permission: Grant-ServicePermission -Name MyService -Account "DOMAIN\User" -Permission StartStop
# Verify change: sc.exe sdshow MyService ```
Step 4: Check User Rights Assignment
```powershell # Check local security policy: secpol.msc
# Navigate to: # Local Policies -> User Rights Assignment
# Important rights for services: # - Log on as a service (SeServiceLogonRight) # - Log on as a batch job # - Replace a process level token
# Check with whoami: whoami /priv
# Check specific right: whoami /priv | findstr SeServiceLogonRight
# Grant via Group Policy or Local Policy: # Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
# Or via command: ntrights +r SeServiceLogonRight -u "DOMAIN\User" ```
Step 5: Check Service Account
```powershell # Check service account: Get-WmiObject Win32_Service -Filter "Name='MyService'" | Select-Object Name, StartName, StartMode
# Or: sc.exe qc MyService
# Common accounts: # LocalSystem - Full system access # LocalService - Limited local access # NetworkService - Network access with computer credentials # Domain Account - Specific domain user
# Check if account has required rights: # Log on as service right is critical
# Change service account: sc.exe config MyService obj= "DOMAIN\ServiceAccount" password= "Password"
# Or via PowerShell: $service = Get-WmiObject Win32_Service -Filter "Name='MyService'" $service.Change($null, $null, $null, $null, $null, $null, "DOMAIN\ServiceAccount", "Password")
# Check account password not expired: net user ServiceAccount /domain ```
Step 6: Disable UAC for Testing
```powershell # Check UAC status: Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System | Select-Object EnableLUA
# Temporarily disable UAC (requires restart): Set-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0
# Re-enable UAC: Set-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 1
# Better approach: Configure UAC settings: # Control Panel -> User Accounts -> Change User Account Control settings
# Or use "Run as administrator" for each operation # Don't disable UAC in production! ```
Step 7: Check Group Policy
```powershell # Check applied GPOs: gpresult /h gpo-report.html start gpo-report.html
# Check specific policy: gpresult /r
# Check service-related policies: # Computer Configuration -> Windows Settings -> Security Settings -> System Services
# View service GPO settings: Get-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\Services" -ErrorAction SilentlyContinue
# Check restricted services: # Computer Configuration -> Administrative Templates -> System -> Services
# Refresh GPO: gpupdate /force
# Check if policy blocking: # Look for "Deny" or restrictions in policy ```
Step 8: Check Antivirus Interference
```powershell # Temporarily disable Windows Defender: Set-MpPreference -DisableRealtimeMonitoring $true
# Check Windows Defender logs: Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Select-Object -Last 20
# Re-enable after testing: Set-MpPreference -DisableRealtimeMonitoring $false
# Check third-party antivirus: # Temporarily disable and test
# Add exclusions if needed: Add-MpPreference -ExclusionPath "C:\Path\To\Service" Add-MpPreference -ExclusionProcess "MyService.exe"
# Check Event Log for blocks: Get-WinEvent -LogName System | Where-Object {$_.Message -like "*MyService*"} | Select-Object -Last 10 ```
Step 9: Use Service-Specific Tools
```powershell # Use PsService (Sysinternals): psservice.exe query MyService psservice.exe start MyService psservice.exe stop MyService
# Use Service Control (sc): sc.exe query MyService sc.exe start MyService sc.exe stop MyService
# Use PowerShell: Get-Service MyService Start-Service MyService Stop-Service MyService
# Force stop if needed: Stop-Service MyService -Force
# Check service dependencies: Get-Service MyService -RequiredServices Get-Service MyService -DependentServices
# Check service status: Get-Service MyService | Select-Object Name, Status, StartType, CanPauseAndContinue ```
Step 10: Windows Service Verification Script
```powershell # Create verification script: $script = @' # Check-WindowsService.ps1 param($ServiceName)
Write-Host "=== Current User ===" -ForegroundColor Cyan whoami /all | Select-String "S-1-16-12288" # Check if elevated whoami /groups | Select-String "S-1-5-32-544" # Check admin group
Write-Host "`n=== Service Status ===" -ForegroundColor Cyan Get-Service $ServiceName -ErrorAction SilentlyContinue
Write-Host "`n=== Service Configuration ===" -ForegroundColor Cyan sc.exe qc $ServiceName
Write-Host "`n=== Service Security ===" -ForegroundColor Cyan sc.exe sdshow $ServiceName
Write-Host "`n=== Service Account ===" -ForegroundColor Cyan Get-WmiObject Win32_Service -Filter "Name='$ServiceName'" | Select-Object Name, StartName
Write-Host "`n=== User Privileges ===" -ForegroundColor Cyan whoami /priv | Select-String "SeServiceLogonRight|SeDebugPrivilege"
Write-Host "`n=== Recent Service Events ===" -ForegroundColor Cyan Get-WinEvent -LogName System -MaxEvents 10 | Where-Object {$_.Message -like "*$ServiceName*"}
Write-Host "`n=== Recommendations ===" -ForegroundColor Cyan Write-Host "1. Run PowerShell as Administrator" Write-Host "2. Check service security descriptor" Write-Host "3. Verify user in Administrators group" Write-Host "4. Check service account permissions" Write-Host "5. Check Group Policy restrictions" Write-Host "6. Review Event Log for specific errors" '@
Set-Content -Path "C:\Scripts\Check-WindowsService.ps1" -Value $script
# Usage: # .\Check-WindowsService.ps1 -ServiceName "MyService" ```
Windows Service Checklist
| Check | Command | Expected |
|---|---|---|
| Elevated | whoami /groups | High integrity |
| Admin group | net localgroup administrators | User listed |
| Service exists | Get-Service | Service found |
| Permissions | sc.exe sdshow | User has access |
| Account rights | whoami /priv | SeServiceLogonRight |
| No GPO blocking | gpresult | No restrictions |
Verify the Fix
```powershell # After fixing service access
# 1. Check elevation whoami /groups | Select-String "S-1-16-12288" // High integrity present
# 2. Test service operation Start-Service MyService // Service started successfully
# 3. Check service status Get-Service MyService // Status: Running
# 4. Stop service Stop-Service MyService // Service stopped successfully
# 5. Check event log Get-WinEvent -LogName System -MaxEvents 5 | Where-Object {$_.Message -like "*MyService*"} // No access denied errors
# 6. Verify permissions sc.exe sdshow MyService // User SID has appropriate permissions ```
Related Issues
- [Fix Windows Service Not Starting](/articles/fix-windows-service-not-starting)
- [Fix Windows Permission Denied](/articles/fix-windows-permission-denied)
- [Fix Windows Access Denied Folder](/articles/fix-windows-access-denied-folder)