Re: Task Scheduler service - access is denied

From: Les (lnoland_at_xnet.com)
Date: 11/25/03 

Date: Tue, 25 Nov 2003 13:11:17 -0800

Actually, it just now occurred to me why I might be
having problems. When I reformatted my partition in
preparation for doing the recovery from backup, I changed
the partition from Fat32 to NTFS. I then loaded Windows
XP into this partition. The files I recovered from
Backup, however, were originally backed up from a Fat32
partition without the NTFS security settings. I'll bet
that's what caused things to get messed up.

I wonder if I should change it back to Fat32 and then
change it back to NTFS with all the files in place so
that the default security is set properly (I hope).

>-----Original Message-----
>I share your concerns about the restore (technically, a
>recovery from backup, not a system restore). It wasn't
>an easy recovery, either. I was not able to make system
>recovery disks (I always got the very informative
>message "Unable to create recovery disks" or something
>like that). Further, my backup software (Stomp's
>BackupMyPC) indicated that with Service Pack 1a I
>shouldn't use the system recovery disks but should do
>what I did which is to reload Windows XP (plus service
>pack) on a freshly formatted drive, reload the backup
>software and then reload from backup.
>
>I still have some other troubling symptoms but nothing
>overwhelming yet. I had to reregister the Windows
>Installer software to get it to work. For some reason
>the icons on my Welcome screen don't match those chosen
>for the user accounts. It makes me wonder what's going
>to go wrong next.
>>-----Original Message-----
>>Well, that was a long road, ey?
>>Glad you are running, but as often is the case,
>>I am left wondering why a restore did that .
>>
>>--
>>Roger Abell
>>Microsoft MVP (Windows Server System: Security)
>>MCSE (W2k3,W2k,Nt4) MCDBA
>>"Les" <lnoland@xnet.com> wrote in message
>>news:0b4601c3b2a2$e9ade680$a301280a@phx.gbl...
>>> Success!
>>>
>>> Actually, I had to modify your instructions slightly
>>> (which I'll document here to help the next guy).
>>>
>>> Attempting the cacls for system directly failed
>>> with "access denied". At first I simply tried adding
>>> the /c flag but that didn't do it. So finally I
>reasoned
>>> that I needed to set the permissions for the
>>> administrators group first (thus giving myself
>permission
>>> to access the directory and files). I did so (after
>>> changing the directory to C:\WINDOWS) with:
>>>
>>> cacls tasks /t /e /c /g administrators:f
>>>
>>> That worked, so I followed it with:
>>>
>>> cacls tasks /t /e /c /g system:f
>>>
>>> That worked as well. I then had no trouble starting
up
>>> the task scheduler service.
>>>
>>> Thank you so much for all of your help. I very much
>>> appreciate it.
>>>
>>> - Les Noland
>>>
>>> >-----Original Message-----
>>> >From the cacls output you list it shows that only the
>>> >Authenticated Users group has some permissions on
>>> >the sa.dat file
>>> >You could issue
>>> >cacls C:\WINDOWS\Tasks /t /e /g system:f
>>> >in order to add permissions for System account and
>then
>>> >cacls C:\WINDOWS\Tasks /e /g administrators:f
>>> >to do the same for administrators
>>> >Then check the file permissions again with cacls to
>>> >make sure that these changed (made to the tasks
>special
>>> >folder) were propagated onto the sa.dat file
>>> >
>>> >--
>>> >Roger Abell
>>> >Microsoft MVP (Windows Server System: Security)
>>> >MCSE (W2k3,W2k,Nt4) MCDBA
>>> >"Les" <lnoland@xnet.com> wrote in message
>>> >news:4c2f01c3b271$a029fa20$a601280a@phx.gbl...
>>> >> Mr. Abell:
>>> >>
>>> >> I downloaded regemon and filemon, as you
>recommended,
>>> and
>>> >> tried them while attempting to start the task
>scheduler
>>> >> service. I didn't see anything particularly
>>> interesting
>>> >> with regemon (though, I admit, I don't really know
>what
>>> >> I'm looking for) but with filemon, I found that an
>open
>>> >> on c:\windows\tasks\sa.dat had a result of "ACCESS
>>> >> DENIED". sa.dat is apparently a hidden file but I
>>> found,
>>> >> using CACLS in the command prompt, that it had the
>>> >> following properties:
>>> >> C:\WINDOWS\Tasks\SA.DAT NT AUTHORITY\Authenticated
>>> Users:
>>> >> (special access:)
>>> >> READ_CONTROL
>>> >> SYNCHRONIZE
>>> >> FILE_GENERIC_READ
>>> >> FILE_READ_DATA
>>> >> FILE_READ_EA
>>> >> FILE_READ_ATTRIBUTES
>>> >>
>>> >> Now, I don't know what any of this means so I
wasn't
>>> >> about to try changing anything, but I was hoping
>that
>>> you
>>> >> might, and could advise me what to try next.
>>> >>
>>> >> Many thanks for all of your help.
>>> >> >-----Original Message-----
>>> >> >Les,
>>> >> >
>>> >> >I am on a server system presently so cannot check
>>> >> defaults
>>> >> >for the RPC on XP right now, but I doubt that is
>your
>>> >> issue
>>> >> >if it is starting.
>>> >> >I was suggesting the servie permissions issue
based
>>> on a
>>> >> >KB article MS brought out warning about use of
>>> templates
>>> >> >use for services. It basically said one can get
>>> message
>>> >> similar
>>> >> >to what you have reported, an access violation in
>some
>>> >> form,
>>> >> >if System is not granted Full. I have found this
>>> >> strange as the
>>> >> >defaults very often, such as for System on Task
>>> >> Scheduler in
>>> >> >W2k server, are not Full.
>>> >> >
>>> >> >Anyway, at this point you need to find out what is
>>> being
>>> >> accessed
>>> >> >that is not being allowed. Have you checked the
>>> things
>>> >> scheduled ?
>>> >> >These are stored somewhere, often defaulting to
>within
>>> >> the profile
>>> >> >of the account that was used to define the
>scheduled
>>> >> task.
>>> >> >It may be that it attempts to start, load the
>defined
>>> >> task info, fails
>>> >> >to access this, and crumbles. It may be that it
is
>>> not
>>> >> being allowed
>>> >> >access in the registry or to some needed dll
>>> dependency.
>>> >> >To collect info on this, you could download the
>regmon
>>> >> and filemon
>>> >> >tools from www.sysinternals.com and watch to see
>where
>>> >> the accesses
>>> >> >are actually failing.
>>> >> >I am not aware of a way to ininstall and reinstall
>>> just
>>> >> the task sched
>>> >> >part of XP, and would not recommend trying an
>>> >> upgrade/repair for
>>> >> >this type of issue.
>>> >> >
>>> >> >--
>>> >> >Roger Abell
>>> >> >Microsoft MVP (Windows Server System: Security)
>>> >> >MCSE (W2k3,W2k,Nt4) MCDBA
>>> >> >"Les" <lnoland@xnet.com> wrote in message
>>> >> >news:05d301c3b1c4$961d12e0$a301280a@phx.gbl...
>>> >> >> Wow. Thanks so much for your detailed message.
>>> >> >> Unfortunately, I still can't get the task
>scheduler
>>> to
>>> >> >> start.
>>> >> >>
>>> >> >> I did as you said and found that the SYSTEM
>account
>>> did
>>> >> >> not have full access for the Task Scheduler
>service
>>> so
>>> >> I
>>> >> >> added it as you indicated. I verified that it
>had
>>> been
>>> >> >> added but I still get the "Error 5: Access is
>>> Denied"
>>> >> >> message when I try to start the service.
>>> >> >>
>>> >> >> I noticed that the task scheduler service is
>>> dependent
>>> >> on
>>> >> >> the RPC (remote procedure call) service, which
>*is*
>>> >> >> started and which also indicates that it should
>log
>>> on
>>> >> as
>>> >> >> the local system account. I tried checking its
>>> >> >> permissions in the tool you had me create and
was
>>> >> >> surprised to see that SYSTEM wasn't even one of
>the
>>> >> >> accounts in its permissions list -- does that
>seem
>>> >> right?
>>> >> >> >-----Original Message-----
>>> >> >> >Although it is possible that the access
problem
>is
>>> in
>>> >> >> >reading config info, like the on disk tasks you
>>> have
>>> >> >> >scheduled, as you have described it this sounds
>>> more
>>> >> >> >like the service is not allowed to be started.
>>> >> >> >
>>> >> >> >So, let's check the permissions on the service.
>>> >> >> >
>>> >> >> >For this you will need to make a custom mmc
>>> >> >> >console and load into it the two templates
>>> >> >> >Security Configuration and Analysis
>>> >> >> >and
>>> >> >> >Security Templates
>>> >> >> >
>>> >> >> >You may do with with Start / Run mmc and then
>use
>>> the
>>> >> >> >Add/Remove Snap-in selection of the Console
drop
>>> menu
>>> >> >> >When done you might want to save this as
>>> WhatEver.msc
>>> >> >> >in you administrative tools folder.
>>> >> >> >
>>> >> >> >Define some working directory somewhere.
>>> >> >> >
>>> >> >> >Now, open the Templates snap-in and in the r-
>click
>>> >> >> >context menu and add the working directory as
a
>new
>>> >> >> >templates search path. Then from the context
>menu
>>> >> >> >of the new path choose to make a new template,
>>> >> >> >OK, you now have a blank template that does
>>> nothing.
>>> >> >> >
>>> >> >> >Open the Sec Config & Analysis tool, r-click
on
>it
>>> and
>>> >> >> >select to open database, navigate to the
working
>>> dir
>>> >> and
>>> >> >> >give this new database some name .sdb In the
>>> process
>>> >> >> >you will be prompted to choose a template.
>Select
>>> the
>>> >> >> >one just made (and for the heck of it, check to
>>> clear
>>> >> the
>>> >> >> >database during the import).
>>> >> >> >
>>> >> >> >Now, r-click on this tool's main node and
>select to
>>> >> >> analyze.
>>> >> >> >
>>> >> >> >When it has completed, navigate to the System
>>> Services
>>> >> >> node
>>> >> >> >and highlight / dbl-click on the Task Scheduler
>>> >> service.
>>> >> >> >Click on the View Security button, dismiss the
>>> notice
>>> >> if
>>> >> >> >you get one, then highlight the entry for
>SYSTEM.
>>> >> >> >Does it have Full Control ?
>>> >> >> >
>>> >> >> >Long road to here, but AFAIK this is the only
>way
>>> to
>>> >> >> >see/change the ACL on a service.
>>> >> >> >
>>> >> >> >If it is not at Full Control it is worth
trying
>to
>>> >> set it
>>> >> >> >to have Full. For this, dismissing the View
>Perms
>>> >> >> >windows, check to define this policy, then for
>luck
>>> >> >> >change the start mode to something else and
>then to
>>> >> >> >Automatic, and finally click Edit Security. It
>>> should
>>> >> >> >have populated this with what you saw when
>viewing
>>> >> >> >security (that is the for luck part above).
>>> >> >> >Highlight SYSTEM and grant Full.
>>> >> >> >While here you may want to verify that
>>> Administrators
>>> >> >> >have Full Control also.
>>> >> >> >
>>> >> >> >Now, if you want look around elsewhere and you
>>> >> >> >should find that there are no other setting
>what-
>>> so-
>>> >> ever
>>> >> >> >that this currently will enforce (if the new
>>> template
>>> >> >> >was a new one).
>>> >> >> >
>>> >> >> >R-click on the lead node of Sec Config &
>Analysis
>>> >> >> >and select to Apply this. When you do this,
>since
>>> the
>>> >> >> >perms on Task Scheduler were populated from the
>>> >> >> >existing, and there are no other settings in
the
>>> >> >> database,
>>> >> >> >you are only changing the permission for
SYSTEM
>on
>>> >> >> >the Task Scheduler service. This is powerful
>>> stuff,
>>> >> so
>>> >> >> >you never want to Apply a sec database unless
>you
>>> >> >> >fully understand all of the settings it
>contains.
>>> >> >> >
>>> >> >> >When it is done you should see that the Task
>Sched
>>> >> >> >service is checkmarked as all OK and both
>security
>>> >> >> >dialogs show the same settings, with SYSTEM
>Full.
>>> >> >> >
>>> >> >> >Before exiting your new tool, r-click on the
top
>>> node
>>> >> >> >so Sec Config & Analysis and select to export
>the
>>> >> >> >template, saving it under its original or
under
>a
>>> new
>>> >> >> >name (which will leave the old one as a blank
>>> template
>>> >> >> >for future use).
>>> >> >> >
>>> >> >> >One heck of a lot of effort, but does the
>service
>>> now
>>> >> >> >start when you use services.msc to try starting
>>> it ?
>>> >> >> >If not, then at least we have ruled this out
as
>a
>>> >> cause.
>>> >> >> >
>>> >> >> >--
>>> >> >> >Roger Abell
>>> >> >> >Microsoft MVP (Windows Server System: Security)
>>> >> >> >MCSE (W2k3,W2k,Nt4) MCDBA
>>> >> >> >
>>> >> >> >"Les" <lnoland@xnet.com> wrote in message
>>> >> >> >news:07f801c3b0f2$68081440$a301280a@phx.gbl...
>>> >> >> >> I recently had to restore my system from
>backup
>>> and
>>> >> >> ever
>>> >> >> >> since, my Task scheduler service has not been
>>> >> >> running. I
>>> >> >> >> tried starting it but I get an "error 5:
>access
>>> is
>>> >> >> >> denied." Can anyone please help me figure
out
>>> how
>>> >> to
>>> >> >> fix
>>> >> >> >> this?
>>> >> >> >>
>>> >> >> >> I am running Windows XP Professional, Service
>>> Pack
>>> >> >> 1a. I
>>> >> >> >> tried reinstalling the service pack, but
with
>no
>>> >> >> success.
>>> >> >> >>
>>> >> >> >> Thanks for any help you can offer.
>>> >> >> >>
>>> >> >> >> - Les
>>> >> >> >
>>> >> >> >
>>> >> >> >.
>>> >> >> >
>>> >> >
>>> >> >
>>> >> >.
>>> >> >
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
>.
>