PRB: After CreateService() with UNC Name, Service Start Fails

• Microsoft Win32 Application Programming Interface (API) included with:

      - Microsoft Windows NT versions 3.5, 3.51, 4.0
  

SYMPTOMS

When giving a Universal Naming Convention (UNC) name to CreateService(), the call succeeds, but the service start fails with ERROR_ACCESSS_DENIED (5). This error will only occur if the service is specified to run in the LocalSystem account.

CAUSE

The Service Control Manager calls CreateProcess() to start the service. If the service is specified to run in a user account, the Service Control Manager impersonates the user before calling CreateProcess(). If the service is specified to run in the LocalSystem account, the Service Control Manager runs in the LocalSystem security context. When you call CreateProcess() with a UNC name from a process running in the LocalSystem context, you get ERROR_ACCESS_DENIED. This is because LocalSystem has restricted (less than guest) access to remote machines. A null session is set up for LocalSystem remote access, which has reduced rights.

RESOLUTION

There are three possible solutions:

• Run the service from a user account which has access to the UNC share.

  -or-

• When specifying the fully qualified path to the service binary file, do not use a UNC name. It may be desirable to copy the service binary file to the local machine. This has the added benefit that the service will no longer be dependent on network operations.

  -or-

• If the service binary is on, add SHARENAME to

  HKEY_LOCAL_MACHINE\SYSTEM\

        CurrentControlSet\
        Services\
        LanmanServer\
        Parameters\
        NullSessionShares
  

  on MACHINEA. This will let requests to access this share from null sessions succeed.

  WARNING: This will allow everyone access to the share. If you want to maintain security for the share, create an account with the access required.