Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Symptoms
Getting “System.ComponentModel.Win32Exception: Access is denied” on an ASP.NET website. Below is the complete exception details:
Exception Details: System.ComponentModel.Win32Exception: Access is denied
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and ___location of the exception can be identified using the exception stack trace below.
Stack Trace:
[Win32Exception (0x80004005): Access is denied]
[InvalidOperationException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.]
System.ServiceProcess.ServiceController.GetDataBaseHandle() +297
System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) +14
System.ServiceProcess.ServiceController.GenerateStatus() +103
System.ServiceProcess.ServiceController.get_Status() +10
Mine.Page_Load(Object sender, EventArgs e) +26
System.EventHandler.Invoke(Object sender, EventArgs e) +0
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +750
And, we see the below Failure Audit in the Security Event log:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/26/2010
Time: 4:10:08 PM
User: servername\username
Computer: servername
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,579955549}
Process ID: 440
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: servername$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: servername
Client Logon ID: (0x0,0x225DC742)
Accesses: Connect to service controller
Enumerate services
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x5
Cause
Found that this is due to a DACL problem with the SCManager object
Resolution
We modified the DACL for SCManager object by running below command:
SC SDSET SCMANAGER D:(A;;CCLCRPRC;;;WD)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
DACL was originally D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) which didn’t include the local users group to have permissions to query the SCM object, and hence the failure of the code trying to query the status of the aspnet_state service.
More Information
You can also try querying the DACL information just for the service the code is using. In my case, customer was trying to query the "aspnet_state" service and was failing with the above problem.
Related Blog
Web Service can’t start the Windows Service
https://blogs.msdn.com/winsdk/archive/2009/11/18/web-service-can-t-start-the-windows-service.aspx