# Solved: Access Denied when trying to Start Service



## bxf (Aug 6, 2004)

I have a VB script that issues StartService. This works fine under XP. It also works under Win7, but only if I run it as Administrator. If I run it as a another user with Administrator rights, it fails with "Access Denied".

Is there any way to use StartService without having to run as Administrator?

Thanks for any input.


----------



## Mumbodog (Oct 3, 2007)

I dont think so, user accounts with admin rights is different than the true Admin, this changed with Vista and carried forward to W7.

You might try disabling UAC, see if it will run.

.


----------



## bxf (Aug 6, 2004)

Thanks, Mumbodog. Yes, Turning off UAC enables me to start the service from the script. Unfortunately, to have a UAC change take effect, one has to restart, which means that I'd have to keep on running with UAC off. Still, this was an educational piece of information.

While we're on the subject of UAC: I'm "sure" that somebody somewhere must have raised the question of why MS didn't implement the concept of a "Trusted Application", so that one could flag selected programs as being SAFE, and hence candidates for bypassing UAC. Is there an answer to such a question?


----------



## Mumbodog (Oct 3, 2007)

MS is always behind the times, plain and simple.

It was an attempt by Microsoft to make their OS more like OSX, so they came up with the half baked Idea of UAC to keep malware from getting on the system instead of a complete rewrite of the OS to rid it of things like the registry and Dll's. It backfired of course. They tamed down UAC in Windows 7 somewhat.

I use the hidden admin account in Vista and W7, does away with all the nonsense of the regular user account, makes it more like XP.



.


----------



## bxf (Aug 6, 2004)

OK, UAC is a nuisance, but it does provide a certain level of protection. Whether or not that protection level justifies the nuisance level is another question.

What gets me, though, is that I would have thought that it is so simple to implement the SAFE program concept. Just one additional flag - in the Compatibility screen, for example - and then a simple check at the beginning of the UAC processing module (whatever it may be) that says something like "IF SAFE flag ON, EXIT".

I suppose there may be non-obvious reasons why it could not have been done in such a simple way, but I wouldn't be surprised if there isn't.


----------



## TheOutcaste (Aug 8, 2007)

Not sure if you can call it simple, but Microsoft does provide for Trusted Applications:
Trusted Application Deployment Overview

You can also use the Elevate Powertoy to let your scripts prompt for elevation when needed, or use it at the start to prompt once, then edit the registry to change the UAC mode to not prompt, then set it back when the script finishes.

Change *ConsentPromptBehaviorAdmin* located here to zero:

```
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
```
You can first save the value (usually 2), use this script to change it to zero, then run your script. When done, simply restore the original value using a standard registry write command.
This is in VBScript (Windows Script Host) but VB.NET should be the same or similar:

```
Set objShell = CreateObject("Shell.Application")
StrApplication = "C:\WINDOWS\system32\cmd.exe"
StrCmdLine = "/S /C ""Reg Add ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /V ConsentPromptBehaviorAdmin /T REG_DWORD /D 0 /F"""
objShell.ShellExecute strApplication, strCmdLine, "", "runas", 0
```
You'll be prompted once with UAC, but after that, you won't be prompted again. You do get a pop-up from the notification area to check UAC settings, but that can be ignored.


----------



## bxf (Aug 6, 2004)

Thanks Outcaste.

The discussion about Trusted Applications is way too complex, at least for my present state of mind However, the ELEVATE command works perfectly for my purposes.

Not that it matters, but the value I have in ConsentPromptBehaviorAdmin is "5" - don't know what it means vs a "2".

I should mention that rather than use "REG ADD", all I had to do is the following:

RegPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
objgReg.GetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", saveCPBA
objgReg.SetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", 0

...Start Service...

objgReg.SetDWordValue cHKLM, RegPath, "ConsentPromptBehaviorAdmin", saveCPBA

The script is subsequently invoked as : elevate wscript ""<path to script>""

Works as required

Thanks again.


----------



## TheOutcaste (Aug 8, 2007)

You're Welcome
Don't know what 5 would be either, I've only seen 0, 1, and 2 mentioned as settings.
http://msdn.microsoft.com/en-us/library/cc232761(PROT.13).aspx

Might be the same as a 1 when looked at in binary, assuming it only looks at the last two bits::
5=101
If someone manually edited that key, might just be a typo; easy to hit a 5 instead of a 2 on the numeric keypad.
A 1 requires even an Admin account to enter a username and password, rather than just clicking a continue button.

Thanks for the VB code; I've only used this method for allowing a batch file to run elevated, so used Reg Add as I'm much more familiar with batch than VB/WSH


----------

