windows could not start service on local computer error 5 access is denied
Categories:
Troubleshooting 'Windows could not start service on Local Computer. Error 5: Access is denied.'
Learn to diagnose and resolve the common 'Error 5: Access is denied' when starting Windows Services, particularly relevant for C#, .NET, and WCF applications.
The 'Windows could not start the [Service Name] service on Local Computer. Error 5: Access is denied.' message is a common and frustrating error encountered by developers and system administrators alike. This error typically indicates that the Windows Service lacks the necessary permissions to perform its operations, often related to file system access, registry access, network resources, or the service's own executable. This article will guide you through the common causes and solutions for this persistent issue, focusing on scenarios relevant to C#, .NET, and WCF services.
Understanding the Root Causes of 'Error 5'
The 'Access is denied' error is a generic security message from the operating system. For Windows Services, this usually boils down to the identity under which the service is running. Services can run under various accounts, each with different permission sets. Misconfigurations in these accounts or the resources they try to access are the primary culprits.
flowchart TD
A[Attempt to Start Service] --> B{Service Account Permissions?}
B -- No --> C[Error 5: Access Denied]
B -- Yes --> D{Resource Permissions?}
D -- No --> C
D -- Yes --> E[Service Starts Successfully]Decision flow for 'Error 5: Access is denied' troubleshooting.
Common Scenarios and Solutions
Let's explore the most frequent reasons for this error and how to address them. The solutions often involve adjusting security settings or the service configuration.
1. Incorrect Service Account Permissions
This is by far the most common cause. A Windows Service runs under a specific user account. If this account doesn't have the necessary permissions to access files, registry keys, network shares, or other system resources that the service needs, it will fail with 'Access is denied'.
1. Identify the Service Account
Open services.msc (Run -> services.msc). Locate your service, right-click, and select 'Properties'. Go to the 'Log On' tab. Note the account configured (e.g., 'Local System account', 'Network Service', 'Local Service', or a specific user account).
2. Grant Necessary Permissions
If the service runs as 'Local System', it usually has extensive privileges on the local machine. If it's 'Network Service' or 'Local Service', these accounts have limited permissions. If it's a custom user account, ensure that user account has full control over the service's executable folder, any folders it reads/writes to, and any registry keys it modifies. For network resources, the 'Network Service' account will present itself as the computer account on the network.
3. Consider a Dedicated Service Account
For production environments, it's best practice to create a dedicated domain user account with the minimum necessary permissions for the service to function. This follows the principle of least privilege.
2. File System Permissions for Service Executable
Even if the service account is correct, the service executable itself might not have the right permissions for the service account to start it. This is particularly true if the service was deployed manually or copied without proper security propagation.
1. Locate Service Executable
In services.msc, go to your service's properties, then the 'General' tab. The 'Path to executable' field shows the location of your service's .exe file.
2. Adjust Folder Permissions
Navigate to this folder in File Explorer. Right-click the folder, select 'Properties' -> 'Security' tab -> 'Edit'. Add the service account (e.g., 'Network Service' or your custom user) and grant it 'Full control' or at least 'Modify', 'Read & execute', 'List folder contents', 'Read', and 'Write' permissions. Apply these changes to subfolders and files.
3. Registry Permissions
If your service interacts with the Windows Registry, it might require specific permissions for certain keys. This is common for services that store configuration in the registry.
1. Identify Registry Keys
Review your service's code (C#/.NET) to identify any registry keys it attempts to read from or write to. Common paths include HKEY_LOCAL_MACHINE\SOFTWARE or HKEY_CURRENT_USER (though services typically avoid the latter).
2. Grant Registry Permissions
Open regedit.exe. Navigate to the relevant registry key. Right-click the key, select 'Permissions'. Add the service account and grant it 'Full Control' or 'Read'/'Write' as needed.
4. WCF Service Hosting Considerations
When hosting a WCF service within a Windows Service, additional considerations apply, especially regarding HTTP.SYS registration and endpoint access.
using System.ServiceModel;
using System.ServiceProcess;
public class MyWcfService : ServiceBase
{
public ServiceHost serviceHost = null;
public MyWcfService()
{
ServiceName = "MyWcfService";
}
protected override void OnStart(string[] args)
{
if (serviceHost != null)
{
serviceHost.Close();
}
// Base address for the service
Uri baseAddress = new Uri("http://localhost:8000/MyService/");
// Create a ServiceHost for the service type and its base address
serviceHost = new ServiceHost(typeof(MyServiceImplementation), baseAddress);
// Open the ServiceHost to start listening for messages
serviceHost.Open();
}
protected override void OnStop()
{
if (serviceHost != null)
{
serviceHost.Close();
serviceHost = null;
}
}
}
Example of a basic WCF service hosted in a Windows Service.
1. Check HTTP.SYS Permissions
If your WCF service uses HTTP or HTTPS, it needs to register its endpoint with HTTP.SYS. The service account must have permissions to do this. Use netsh http add urlacl to grant these permissions. For example:
netsh http add urlacl url=http://+:8000/MyService/ user="NT AUTHORITY\NETWORK SERVICE"
Replace http://+:8000/MyService/ with your service's base address and "NT AUTHORITY\NETWORK SERVICE" with your service account.
2. Verify Firewall Rules
Ensure that Windows Firewall is not blocking incoming connections to the port your WCF service is listening on (e.g., port 8000 in the example above).