PRB: After CreateService() with UNC Name, Service Start Fails

ID: Q127862

The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API), used with:
    • Microsoft Windows NT versions 3.5, 3.51, 4.0
    • Microsoft Windows 2000

SYMPTOMS

When giving a Universal Naming Convention (UNC) name to CreateService(), the call succeeds, but the service start fails with ERROR_ACCESSS_DENIED (5). This error will only occur if the service is specified to run in the LocalSystem account.


CAUSE

The Service Control Manager calls CreateProcess() to start the service. If the service is specified to run in a user account, the Service Control Manager impersonates the user before calling CreateProcess(). If the service is specified to run in the LocalSystem account, the Service Control Manager runs in the LocalSystem security context. When you call CreateProcess() with a UNC name from a process running in the LocalSystem context, you get ERROR_ACCESS_DENIED. This is because LocalSystem has restricted (less than guest) access to remote machines. A null session is set up for LocalSystem remote access, which has reduced rights.


RESOLUTION

There are three possible solutions:

  • Run the service from a user account which has access to the UNC share.

    -or-


  • When specifying the fully qualified path to the service binary file, do not use a UNC name. It may be desirable to copy the service binary file to the local machine. This has the added benefit that the service will no longer be dependent on network operations.

    -or-


  • If the service binary is on, add SHARENAME to 
    
    HKEY_LOCAL_MACHINE\SYSTEM\ 
      CurrentControlSet\ 
      Services\ 
      LanmanServer\ 
      Parameters\ 
      NullSessionShares
    on MACHINEA. This will let requests to access this share from null sessions succeed.

    WARNING: This will allow everyone access to the share. If you want to maintain security for the share, create an account with the access required.


Additional query words: 3.50

Keywords : kbKernBase kbWinOS2000 kbService kbDSupport kbGrpKernBase
Version : winnt:3.5,3.51,4.0
Platform : winnt
Issue type : kbprb


Last Reviewed: January 5, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.