Cannot Start Windows Service in NetworkService account

问题

I have a windows service project implementation that I am trying to install as network service.

process = new ServiceProcessInstaller();
process.Account = ServiceAccount.NetworkService;

however whenever I try to start the service I get :

System error 5 has occurred.

Access is denied.

This comes after running the net start MyService command in the visual studio command prompt which is running as administrator by the way.

Any help on how to get this to work? Thanks.

回答1:

I would check that the Network Service account has permissions to execute. Steps to check:

1. In Windows explorer go to the folder containing the binaries of the service
2. Right-click on the folder > Properties > Security tab > Edit button
3. Add > "NETWORK SERVICE" > OK
4. Give it full control (just to test and then reduce permissions till it working)

回答2:

Your Net Start MyService is probably not running with escalated privileges. Your command requires (I believe) Administrative Privileges.

Update

Not sure why, but your privileges on your service are weird. By default privileges of services should look like:

D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
  ADS_RIGHT_DELETE
  ADS_RIGHT_READ_CONTROL
  ADS_RIGHT_WRITE_DAC
  ADS_RIGHT_WRITE_OWNER
  ADS_RIGHT_DS_CREATE_CHILD
  ADS_RIGHT_DS_DELETE_CHILD
  ADS_RIGHT_ACTRL_DS_LIST
  ADS_RIGHT_DS_SELF
  ADS_RIGHT_DS_READ_PROP
  ADS_RIGHT_DS_WRITE_PROP
  ADS_RIGHT_DS_DELETE_TREE
  ADS_RIGHT_DS_LIST_OBJECT
  ADS_RIGHT_DS_CONTROL_ACCESS

However your's looks like:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

ACE Type: ACCESS_ALLOWED_ACE_TYPE
Trustee: NT AUTHORITY\SYSTEM
AccessMask:
  ADS_RIGHT_READ_CONTROL
  ADS_RIGHT_DS_CREATE_CHILD
  ADS_RIGHT_ACTRL_DS_LIST
  ADS_RIGHT_DS_SELF
  ADS_RIGHT_DS_READ_PROP
  ADS_RIGHT_DS_WRITE_PROP
  ADS_RIGHT_DS_DELETE_TREE
  ADS_RIGHT_DS_LIST_OBJECT
  ADS_RIGHT_DS_CONTROL_ACCESS

I'm not sure exactly how that came to be. Try uninstalling and reinstalling?

You can download SddlParse (google it :) to parse out the Security Descriptor Definition Language.

回答3:

The "Access denied" message applies to the user trying to start the service, not the account in which the service is run.

Can you start the service from:

1. the Services Control Panel applet?
2. an elevated command prompt you started yourself (not from Visual Studio)?

来源：https://stackoverflow.com/questions/11978054/cannot-start-windows-service-in-networkservice-account