Re: Task Scheduler service - access is denied

From: Les (lnoland_at_xnet.com)
Date: 11/25/03 

Date: Tue, 25 Nov 2003 13:01:03 -0800

I share your concerns about the restore (technically, a
recovery from backup, not a system restore). It wasn't
an easy recovery, either. I was not able to make system
recovery disks (I always got the very informative
message "Unable to create recovery disks" or something
like that). Further, my backup software (Stomp's
BackupMyPC) indicated that with Service Pack 1a I
shouldn't use the system recovery disks but should do
what I did which is to reload Windows XP (plus service
pack) on a freshly formatted drive, reload the backup
software and then reload from backup.

I still have some other troubling symptoms but nothing
overwhelming yet. I had to reregister the Windows
Installer software to get it to work. For some reason
the icons on my Welcome screen don't match those chosen
for the user accounts. It makes me wonder what's going
to go wrong next.
>-----Original Message-----
>Well, that was a long road, ey?
>Glad you are running, but as often is the case,
>I am left wondering why a restore did that .
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Les" <lnoland@xnet.com> wrote in message
>news:0b4601c3b2a2$e9ade680$a301280a@phx.gbl...
>> Success!
>>
>> Actually, I had to modify your instructions slightly
>> (which I'll document here to help the next guy).
>>
>> Attempting the cacls for system directly failed
>> with "access denied". At first I simply tried adding
>> the /c flag but that didn't do it. So finally I
reasoned
>> that I needed to set the permissions for the
>> administrators group first (thus giving myself
permission
>> to access the directory and files). I did so (after
>> changing the directory to C:\WINDOWS) with:
>>
>> cacls tasks /t /e /c /g administrators:f
>>
>> That worked, so I followed it with:
>>
>> cacls tasks /t /e /c /g system:f
>>
>> That worked as well. I then had no trouble starting up
>> the task scheduler service.
>>
>> Thank you so much for all of your help. I very much
>> appreciate it.
>>
>> - Les Noland
>>
>> >-----Original Message-----
>> >From the cacls output you list it shows that only the
>> >Authenticated Users group has some permissions on
>> >the sa.dat file
>> >You could issue
>> >cacls C:\WINDOWS\Tasks /t /e /g system:f
>> >in order to add permissions for System account and
then
>> >cacls C:\WINDOWS\Tasks /e /g administrators:f
>> >to do the same for administrators
>> >Then check the file permissions again with cacls to
>> >make sure that these changed (made to the tasks
special
>> >folder) were propagated onto the sa.dat file
>> >
>> >--
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Les" <lnoland@xnet.com> wrote in message
>> >news:4c2f01c3b271$a029fa20$a601280a@phx.gbl...
>> >> Mr. Abell:
>> >>
>> >> I downloaded regemon and filemon, as you
recommended,
>> and
>> >> tried them while attempting to start the task
scheduler
>> >> service. I didn't see anything particularly
>> interesting
>> >> with regemon (though, I admit, I don't really know
what
>> >> I'm looking for) but with filemon, I found that an
open
>> >> on c:\windows\tasks\sa.dat had a result of "ACCESS
>> >> DENIED". sa.dat is apparently a hidden file but I
>> found,
>> >> using CACLS in the command prompt, that it had the
>> >> following properties:
>> >> C:\WINDOWS\Tasks\SA.DAT NT AUTHORITY\Authenticated
>> Users:
>> >> (special access:)
>> >> READ_CONTROL
>> >> SYNCHRONIZE
>> >> FILE_GENERIC_READ
>> >> FILE_READ_DATA
>> >> FILE_READ_EA
>> >> FILE_READ_ATTRIBUTES
>> >>
>> >> Now, I don't know what any of this means so I wasn't
>> >> about to try changing anything, but I was hoping
that
>> you
>> >> might, and could advise me what to try next.
>> >>
>> >> Many thanks for all of your help.
>> >> >-----Original Message-----
>> >> >Les,
>> >> >
>> >> >I am on a server system presently so cannot check
>> >> defaults
>> >> >for the RPC on XP right now, but I doubt that is
your
>> >> issue
>> >> >if it is starting.
>> >> >I was suggesting the servie permissions issue based
>> on a
>> >> >KB article MS brought out warning about use of
>> templates
>> >> >use for services. It basically said one can get
>> message
>> >> similar
>> >> >to what you have reported, an access violation in
some
>> >> form,
>> >> >if System is not granted Full. I have found this
>> >> strange as the
>> >> >defaults very often, such as for System on Task
>> >> Scheduler in
>> >> >W2k server, are not Full.
>> >> >
>> >> >Anyway, at this point you need to find out what is
>> being
>> >> accessed
>> >> >that is not being allowed. Have you checked the
>> things
>> >> scheduled ?
>> >> >These are stored somewhere, often defaulting to
within
>> >> the profile
>> >> >of the account that was used to define the
scheduled
>> >> task.
>> >> >It may be that it attempts to start, load the
defined
>> >> task info, fails
>> >> >to access this, and crumbles. It may be that it is
>> not
>> >> being allowed
>> >> >access in the registry or to some needed dll
>> dependency.
>> >> >To collect info on this, you could download the
regmon
>> >> and filemon
>> >> >tools from www.sysinternals.com and watch to see
where
>> >> the accesses
>> >> >are actually failing.
>> >> >I am not aware of a way to ininstall and reinstall
>> just
>> >> the task sched
>> >> >part of XP, and would not recommend trying an
>> >> upgrade/repair for
>> >> >this type of issue.
>> >> >
>> >> >--
>> >> >Roger Abell
>> >> >Microsoft MVP (Windows Server System: Security)
>> >> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >> >"Les" <lnoland@xnet.com> wrote in message
>> >> >news:05d301c3b1c4$961d12e0$a301280a@phx.gbl...
>> >> >> Wow. Thanks so much for your detailed message.
>> >> >> Unfortunately, I still can't get the task
scheduler
>> to
>> >> >> start.
>> >> >>
>> >> >> I did as you said and found that the SYSTEM
account
>> did
>> >> >> not have full access for the Task Scheduler
service
>> so
>> >> I
>> >> >> added it as you indicated. I verified that it
had
>> been
>> >> >> added but I still get the "Error 5: Access is
>> Denied"
>> >> >> message when I try to start the service.
>> >> >>
>> >> >> I noticed that the task scheduler service is
>> dependent
>> >> on
>> >> >> the RPC (remote procedure call) service, which
*is*
>> >> >> started and which also indicates that it should
log
>> on
>> >> as
>> >> >> the local system account. I tried checking its
>> >> >> permissions in the tool you had me create and was
>> >> >> surprised to see that SYSTEM wasn't even one of
the
>> >> >> accounts in its permissions list -- does that
seem
>> >> right?
>> >> >> >-----Original Message-----
>> >> >> >Although it is possible that the access problem
is
>> in
>> >> >> >reading config info, like the on disk tasks you
>> have
>> >> >> >scheduled, as you have described it this sounds
>> more
>> >> >> >like the service is not allowed to be started.
>> >> >> >
>> >> >> >So, let's check the permissions on the service.
>> >> >> >
>> >> >> >For this you will need to make a custom mmc
>> >> >> >console and load into it the two templates
>> >> >> >Security Configuration and Analysis
>> >> >> >and
>> >> >> >Security Templates
>> >> >> >
>> >> >> >You may do with with Start / Run mmc and then
use
>> the
>> >> >> >Add/Remove Snap-in selection of the Console drop
>> menu
>> >> >> >When done you might want to save this as
>> WhatEver.msc
>> >> >> >in you administrative tools folder.
>> >> >> >
>> >> >> >Define some working directory somewhere.
>> >> >> >
>> >> >> >Now, open the Templates snap-in and in the r-
click
>> >> >> >context menu and add the working directory as a
new
>> >> >> >templates search path. Then from the context
menu
>> >> >> >of the new path choose to make a new template,
>> >> >> >OK, you now have a blank template that does
>> nothing.
>> >> >> >
>> >> >> >Open the Sec Config & Analysis tool, r-click on
it
>> and
>> >> >> >select to open database, navigate to the working
>> dir
>> >> and
>> >> >> >give this new database some name .sdb In the
>> process
>> >> >> >you will be prompted to choose a template.
Select
>> the
>> >> >> >one just made (and for the heck of it, check to
>> clear
>> >> the
>> >> >> >database during the import).
>> >> >> >
>> >> >> >Now, r-click on this tool's main node and
select to
>> >> >> analyze.
>> >> >> >
>> >> >> >When it has completed, navigate to the System
>> Services
>> >> >> node
>> >> >> >and highlight / dbl-click on the Task Scheduler
>> >> service.
>> >> >> >Click on the View Security button, dismiss the
>> notice
>> >> if
>> >> >> >you get one, then highlight the entry for
SYSTEM.
>> >> >> >Does it have Full Control ?
>> >> >> >
>> >> >> >Long road to here, but AFAIK this is the only
way
>> to
>> >> >> >see/change the ACL on a service.
>> >> >> >
>> >> >> >If it is not at Full Control it is worth trying
to
>> >> set it
>> >> >> >to have Full. For this, dismissing the View
Perms
>> >> >> >windows, check to define this policy, then for
luck
>> >> >> >change the start mode to something else and
then to
>> >> >> >Automatic, and finally click Edit Security. It
>> should
>> >> >> >have populated this with what you saw when
viewing
>> >> >> >security (that is the for luck part above).
>> >> >> >Highlight SYSTEM and grant Full.
>> >> >> >While here you may want to verify that
>> Administrators
>> >> >> >have Full Control also.
>> >> >> >
>> >> >> >Now, if you want look around elsewhere and you
>> >> >> >should find that there are no other setting
what-
>> so-
>> >> ever
>> >> >> >that this currently will enforce (if the new
>> template
>> >> >> >was a new one).
>> >> >> >
>> >> >> >R-click on the lead node of Sec Config &
Analysis
>> >> >> >and select to Apply this. When you do this,
since
>> the
>> >> >> >perms on Task Scheduler were populated from the
>> >> >> >existing, and there are no other settings in the
>> >> >> database,
>> >> >> >you are only changing the permission for SYSTEM
on
>> >> >> >the Task Scheduler service. This is powerful
>> stuff,
>> >> so
>> >> >> >you never want to Apply a sec database unless
you
>> >> >> >fully understand all of the settings it
contains.
>> >> >> >
>> >> >> >When it is done you should see that the Task
Sched
>> >> >> >service is checkmarked as all OK and both
security
>> >> >> >dialogs show the same settings, with SYSTEM
Full.
>> >> >> >
>> >> >> >Before exiting your new tool, r-click on the top
>> node
>> >> >> >so Sec Config & Analysis and select to export
the
>> >> >> >template, saving it under its original or under
a
>> new
>> >> >> >name (which will leave the old one as a blank
>> template
>> >> >> >for future use).
>> >> >> >
>> >> >> >One heck of a lot of effort, but does the
service
>> now
>> >> >> >start when you use services.msc to try starting
>> it ?
>> >> >> >If not, then at least we have ruled this out as
a
>> >> cause.
>> >> >> >
>> >> >> >--
>> >> >> >Roger Abell
>> >> >> >Microsoft MVP (Windows Server System: Security)
>> >> >> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >> >> >
>> >> >> >"Les" <lnoland@xnet.com> wrote in message
>> >> >> >news:07f801c3b0f2$68081440$a301280a@phx.gbl...
>> >> >> >> I recently had to restore my system from
backup
>> and
>> >> >> ever
>> >> >> >> since, my Task scheduler service has not been
>> >> >> running. I
>> >> >> >> tried starting it but I get an "error 5:
access
>> is
>> >> >> >> denied." Can anyone please help me figure out
>> how
>> >> to
>> >> >> fix
>> >> >> >> this?
>> >> >> >>
>> >> >> >> I am running Windows XP Professional, Service
>> Pack
>> >> >> 1a. I
>> >> >> >> tried reinstalling the service pack, but with
no
>> >> >> success.
>> >> >> >>
>> >> >> >> Thanks for any help you can offer.
>> >> >> >>
>> >> >> >> - Les
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

Quantcast