Re: Task Scheduler service - access is denied
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/24/03
- Next message: anonymous_at_discussions.microsoft.com: "Windows Updates"
- Previous message: grant: "need to delete Patch kb823559"
- In reply to: Les: "Re: Task Scheduler service - access is denied"
- Next in thread: Les: "Re: Task Scheduler service - access is denied"
- Reply: Les: "Re: Task Scheduler service - access is denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Nov 2003 08:06:17 -0700
>From the cacls output you list it shows that only the
Authenticated Users group has some permissions on
the sa.dat file
You could issue
cacls C:\WINDOWS\Tasks /t /e /g system:f
in order to add permissions for System account and then
cacls C:\WINDOWS\Tasks /e /g administrators:f
to do the same for administrators
Then check the file permissions again with cacls to
make sure that these changed (made to the tasks special
folder) were propagated onto the sa.dat file
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Les" <lnoland@xnet.com> wrote in message news:4c2f01c3b271$a029fa20$a601280a@phx.gbl... > Mr. Abell: > > I downloaded regemon and filemon, as you recommended, and > tried them while attempting to start the task scheduler > service. I didn't see anything particularly interesting > with regemon (though, I admit, I don't really know what > I'm looking for) but with filemon, I found that an open > on c:\windows\tasks\sa.dat had a result of "ACCESS > DENIED". sa.dat is apparently a hidden file but I found, > using CACLS in the command prompt, that it had the > following properties: > C:\WINDOWS\Tasks\SA.DAT NT AUTHORITY\Authenticated Users: > (special access:) > READ_CONTROL > SYNCHRONIZE > FILE_GENERIC_READ > FILE_READ_DATA > FILE_READ_EA > FILE_READ_ATTRIBUTES > > Now, I don't know what any of this means so I wasn't > about to try changing anything, but I was hoping that you > might, and could advise me what to try next. > > Many thanks for all of your help. > >-----Original Message----- > >Les, > > > >I am on a server system presently so cannot check > defaults > >for the RPC on XP right now, but I doubt that is your > issue > >if it is starting. > >I was suggesting the servie permissions issue based on a > >KB article MS brought out warning about use of templates > >use for services. It basically said one can get message > similar > >to what you have reported, an access violation in some > form, > >if System is not granted Full. I have found this > strange as the > >defaults very often, such as for System on Task > Scheduler in > >W2k server, are not Full. > > > >Anyway, at this point you need to find out what is being > accessed > >that is not being allowed. Have you checked the things > scheduled ? > >These are stored somewhere, often defaulting to within > the profile > >of the account that was used to define the scheduled > task. > >It may be that it attempts to start, load the defined > task info, fails > >to access this, and crumbles. It may be that it is not > being allowed > >access in the registry or to some needed dll dependency. > >To collect info on this, you could download the regmon > and filemon > >tools from www.sysinternals.com and watch to see where > the accesses > >are actually failing. > >I am not aware of a way to ininstall and reinstall just > the task sched > >part of XP, and would not recommend trying an > upgrade/repair for > >this type of issue. > > > >-- > >Roger Abell > >Microsoft MVP (Windows Server System: Security) > >MCSE (W2k3,W2k,Nt4) MCDBA > >"Les" <lnoland@xnet.com> wrote in message > >news:05d301c3b1c4$961d12e0$a301280a@phx.gbl... > >> Wow. Thanks so much for your detailed message. > >> Unfortunately, I still can't get the task scheduler to > >> start. > >> > >> I did as you said and found that the SYSTEM account did > >> not have full access for the Task Scheduler service so > I > >> added it as you indicated. I verified that it had been > >> added but I still get the "Error 5: Access is Denied" > >> message when I try to start the service. > >> > >> I noticed that the task scheduler service is dependent > on > >> the RPC (remote procedure call) service, which *is* > >> started and which also indicates that it should log on > as > >> the local system account. I tried checking its > >> permissions in the tool you had me create and was > >> surprised to see that SYSTEM wasn't even one of the > >> accounts in its permissions list -- does that seem > right? > >> >-----Original Message----- > >> >Although it is possible that the access problem is in > >> >reading config info, like the on disk tasks you have > >> >scheduled, as you have described it this sounds more > >> >like the service is not allowed to be started. > >> > > >> >So, let's check the permissions on the service. > >> > > >> >For this you will need to make a custom mmc > >> >console and load into it the two templates > >> >Security Configuration and Analysis > >> >and > >> >Security Templates > >> > > >> >You may do with with Start / Run mmc and then use the > >> >Add/Remove Snap-in selection of the Console drop menu > >> >When done you might want to save this as WhatEver.msc > >> >in you administrative tools folder. > >> > > >> >Define some working directory somewhere. > >> > > >> >Now, open the Templates snap-in and in the r-click > >> >context menu and add the working directory as a new > >> >templates search path. Then from the context menu > >> >of the new path choose to make a new template, > >> >OK, you now have a blank template that does nothing. > >> > > >> >Open the Sec Config & Analysis tool, r-click on it and > >> >select to open database, navigate to the working dir > and > >> >give this new database some name .sdb In the process > >> >you will be prompted to choose a template. Select the > >> >one just made (and for the heck of it, check to clear > the > >> >database during the import). > >> > > >> >Now, r-click on this tool's main node and select to > >> analyze. > >> > > >> >When it has completed, navigate to the System Services > >> node > >> >and highlight / dbl-click on the Task Scheduler > service. > >> >Click on the View Security button, dismiss the notice > if > >> >you get one, then highlight the entry for SYSTEM. > >> >Does it have Full Control ? > >> > > >> >Long road to here, but AFAIK this is the only way to > >> >see/change the ACL on a service. > >> > > >> >If it is not at Full Control it is worth trying to > set it > >> >to have Full. For this, dismissing the View Perms > >> >windows, check to define this policy, then for luck > >> >change the start mode to something else and then to > >> >Automatic, and finally click Edit Security. It should > >> >have populated this with what you saw when viewing > >> >security (that is the for luck part above). > >> >Highlight SYSTEM and grant Full. > >> >While here you may want to verify that Administrators > >> >have Full Control also. > >> > > >> >Now, if you want look around elsewhere and you > >> >should find that there are no other setting what-so- > ever > >> >that this currently will enforce (if the new template > >> >was a new one). > >> > > >> >R-click on the lead node of Sec Config & Analysis > >> >and select to Apply this. When you do this, since the > >> >perms on Task Scheduler were populated from the > >> >existing, and there are no other settings in the > >> database, > >> >you are only changing the permission for SYSTEM on > >> >the Task Scheduler service. This is powerful stuff, > so > >> >you never want to Apply a sec database unless you > >> >fully understand all of the settings it contains. > >> > > >> >When it is done you should see that the Task Sched > >> >service is checkmarked as all OK and both security > >> >dialogs show the same settings, with SYSTEM Full. > >> > > >> >Before exiting your new tool, r-click on the top node > >> >so Sec Config & Analysis and select to export the > >> >template, saving it under its original or under a new > >> >name (which will leave the old one as a blank template > >> >for future use). > >> > > >> >One heck of a lot of effort, but does the service now > >> >start when you use services.msc to try starting it ? > >> >If not, then at least we have ruled this out as a > cause. > >> > > >> >-- > >> >Roger Abell > >> >Microsoft MVP (Windows Server System: Security) > >> >MCSE (W2k3,W2k,Nt4) MCDBA > >> > > >> >"Les" <lnoland@xnet.com> wrote in message > >> >news:07f801c3b0f2$68081440$a301280a@phx.gbl... > >> >> I recently had to restore my system from backup and > >> ever > >> >> since, my Task scheduler service has not been > >> running. I > >> >> tried starting it but I get an "error 5: access is > >> >> denied." Can anyone please help me figure out how > to > >> fix > >> >> this? > >> >> > >> >> I am running Windows XP Professional, Service Pack > >> 1a. I > >> >> tried reinstalling the service pack, but with no > >> success. > >> >> > >> >> Thanks for any help you can offer. > >> >> > >> >> - Les > >> > > >> > > >> >. > >> > > > > > > >. > >
- Next message: anonymous_at_discussions.microsoft.com: "Windows Updates"
- Previous message: grant: "need to delete Patch kb823559"
- In reply to: Les: "Re: Task Scheduler service - access is denied"
- Next in thread: Les: "Re: Task Scheduler service - access is denied"
- Reply: Les: "Re: Task Scheduler service - access is denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
