Re: Task Scheduler service - access is denied

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/26/03 

Date: Wed, 26 Nov 2003 07:51:17 -0700

You likely have found the explaination. From what you
described as the necessary recovery route it is hard to
see the advantage gained from this backup software over
NTbackup.exe provided with XP.

Since you have Pro edition you may find interest in
Restore XP to installation Security Defaults
  for Pro see: http://support.microsoft.com/?id=313222
where you would specify to apply only the filestore area 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Les" <lnoland@xnet.com> wrote in message
news:0fdc01c3b398$aad89f30$a001280a@phx.gbl...
> Actually, it just now occurred to me why I might be
> having problems.  When I reformatted my partition in
> preparation for doing the recovery from backup, I changed
> the partition from Fat32 to NTFS.  I then loaded Windows
> XP into this partition.  The files I recovered from
> Backup, however, were originally backed up from a Fat32
> partition without the NTFS security settings.  I'll bet
> that's what caused things to get messed up.
>
> I wonder if I should change it back to Fat32 and then
> change it back to NTFS with all the files in place so
> that the default security is set properly (I hope).
>
> >-----Original Message-----
> >I share your concerns about the restore (technically, a
> >recovery from backup, not a system restore).  It wasn't
> >an easy recovery, either.  I was not able to make system
> >recovery disks (I always got the very informative
> >message "Unable to create recovery disks" or something
> >like that).  Further, my backup software (Stomp's
> >BackupMyPC) indicated that with Service Pack 1a I
> >shouldn't use the system recovery disks but should do
> >what I did which is to reload Windows XP (plus service
> >pack) on a freshly formatted drive, reload the backup
> >software and then reload from backup.
> >
> >I still have some other troubling symptoms but nothing
> >overwhelming yet.  I had to reregister the Windows
> >Installer software to get it to work.  For some reason
> >the icons on my Welcome screen don't match those chosen
> >for the user accounts.  It makes me wonder what's going
> >to go wrong next.
> >>-----Original Message-----
> >>Well, that was a long road, ey?
> >>Glad you are running, but as often is the case,
> >>I am left wondering why a restore did that .
> >>
> >>-- 
> >>Roger Abell
> >>Microsoft MVP (Windows Server System: Security)
> >>MCSE (W2k3,W2k,Nt4)  MCDBA
> >>"Les" <lnoland@xnet.com> wrote in message
> >>news:0b4601c3b2a2$e9ade680$a301280a@phx.gbl...
> >>> Success!
> >>>
> >>> Actually, I had to modify your instructions slightly
> >>> (which I'll document here to help the next guy).
> >>>
> >>> Attempting the cacls for system directly failed
> >>> with "access denied".  At first I simply tried adding
> >>> the /c flag but that didn't do it.  So finally I
> >reasoned
> >>> that I needed to set the permissions for the
> >>> administrators group first (thus giving myself
> >permission
> >>> to access the directory and files).  I did so (after
> >>> changing the directory to C:\WINDOWS) with:
> >>>
> >>> cacls tasks /t /e /c /g administrators:f
> >>>
> >>> That worked, so I followed it with:
> >>>
> >>> cacls tasks /t /e /c /g system:f
> >>>
> >>> That worked as well.  I then had no trouble starting
> up
> >>> the task scheduler service.
> >>>
> >>> Thank you so much for all of your help.  I very much
> >>> appreciate it.
> >>>
> >>>   - Les Noland
> >>>
> >>> >-----Original Message-----
> >>> >From the cacls output you list it shows that only the
> >>> >Authenticated Users group has some permissions on
> >>> >the sa.dat file
> >>> >You could issue
> >>> >cacls C:\WINDOWS\Tasks /t /e /g system:f
> >>> >in order to add permissions for System account and
> >then
> >>> >cacls C:\WINDOWS\Tasks /e /g administrators:f
> >>> >to do the same for administrators
> >>> >Then check the file permissions again with cacls to
> >>> >make sure that these changed (made to the tasks
> >special
> >>> >folder) were propagated onto the sa.dat file
> >>> >
> >>> >-- 
> >>> >Roger Abell
> >>> >Microsoft MVP (Windows Server System: Security)
> >>> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >>> >"Les" <lnoland@xnet.com> wrote in message
> >>> >news:4c2f01c3b271$a029fa20$a601280a@phx.gbl...
> >>> >> Mr. Abell:
> >>> >>
> >>> >> I downloaded regemon and filemon, as you
> >recommended,
> >>> and
> >>> >> tried them while attempting to start the task
> >scheduler
> >>> >> service.  I didn't see anything particularly
> >>> interesting
> >>> >> with regemon (though, I admit, I don't really know
> >what
> >>> >> I'm looking for) but with filemon, I found that an
> >open
> >>> >> on c:\windows\tasks\sa.dat had a result of "ACCESS
> >>> >> DENIED".  sa.dat is apparently a hidden file but I
> >>> found,
> >>> >> using CACLS in the command prompt, that it had the
> >>> >> following properties:
> >>> >> C:\WINDOWS\Tasks\SA.DAT NT AUTHORITY\Authenticated
> >>> Users:
> >>> >> (special access:)
> >>> >>   READ_CONTROL
> >>> >>   SYNCHRONIZE
> >>> >>   FILE_GENERIC_READ
> >>> >>   FILE_READ_DATA
> >>> >>   FILE_READ_EA
> >>> >>   FILE_READ_ATTRIBUTES
> >>> >>
> >>> >> Now, I don't know what any of this means so I
> wasn't
> >>> >> about to try changing anything, but I was hoping
> >that
> >>> you
> >>> >> might, and could advise me what to try next.
> >>> >>
> >>> >> Many thanks for all of your help.
> >>> >> >-----Original Message-----
> >>> >> >Les,
> >>> >> >
> >>> >> >I am on a server system presently so cannot check
> >>> >> defaults
> >>> >> >for the RPC on XP right now, but I doubt that is
> >your
> >>> >> issue
> >>> >> >if it is starting.
> >>> >> >I was suggesting the servie permissions issue
> based
> >>> on a
> >>> >> >KB article MS brought out warning about use of
> >>> templates
> >>> >> >use for services.  It basically said one can get
> >>> message
> >>> >> similar
> >>> >> >to what you have reported, an access violation in
> >some
> >>> >> form,
> >>> >> >if System is not granted Full.  I have found this
> >>> >> strange as the
> >>> >> >defaults very often, such as for System on Task
> >>> >> Scheduler in
> >>> >> >W2k server, are not Full.
> >>> >> >
> >>> >> >Anyway, at this point you need to find out what is
> >>> being
> >>> >> accessed
> >>> >> >that is not being allowed.  Have you checked the
> >>> things
> >>> >> scheduled ?
> >>> >> >These are stored somewhere, often defaulting to
> >within
> >>> >> the profile
> >>> >> >of the account that was used to define the
> >scheduled
> >>> >> task.
> >>> >> >It may be that it attempts to start, load the
> >defined
> >>> >> task info, fails
> >>> >> >to access this, and crumbles.  It may be that it
> is
> >>> not
> >>> >> being allowed
> >>> >> >access in the registry or to some needed dll
> >>> dependency.
> >>> >> >To collect info on this, you could download the
> >regmon
> >>> >> and filemon
> >>> >> >tools from www.sysinternals.com and watch to see
> >where
> >>> >> the accesses
> >>> >> >are actually failing.
> >>> >> >I am not aware of a way to ininstall and reinstall
> >>> just
> >>> >> the task sched
> >>> >> >part of XP, and would not recommend trying an
> >>> >> upgrade/repair for
> >>> >> >this type of issue.
> >>> >> >
> >>> >> >-- 
> >>> >> >Roger Abell
> >>> >> >Microsoft MVP (Windows Server System: Security)
> >>> >> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >>> >> >"Les" <lnoland@xnet.com> wrote in message
> >>> >> >news:05d301c3b1c4$961d12e0$a301280a@phx.gbl...
> >>> >> >> Wow.  Thanks so much for your detailed message.
> >>> >> >> Unfortunately, I still can't get the task
> >scheduler
> >>> to
> >>> >> >> start.
> >>> >> >>
> >>> >> >> I did as you said and found that the SYSTEM
> >account
> >>> did
> >>> >> >> not have full access for the Task Scheduler
> >service
> >>> so
> >>> >> I
> >>> >> >> added it as you indicated.  I verified that it
> >had
> >>> been
> >>> >> >> added but I still get the "Error 5: Access is
> >>> Denied"
> >>> >> >> message when I try to start the service.
> >>> >> >>
> >>> >> >> I noticed that the task scheduler service is
> >>> dependent
> >>> >> on
> >>> >> >> the RPC (remote procedure call) service, which
> >*is*
> >>> >> >> started and which also indicates that it should
> >log
> >>> on
> >>> >> as
> >>> >> >> the local system account.  I tried checking its
> >>> >> >> permissions in the tool you had me create and
> was
> >>> >> >> surprised to see that SYSTEM wasn't even one of
> >the
> >>> >> >> accounts in its permissions list -- does that
> >seem
> >>> >> right?
> >>> >> >> >-----Original Message-----
> >>> >> >> >Although it is possible that the access
> problem
> >is
> >>> in
> >>> >> >> >reading config info, like the on disk tasks you
> >>> have
> >>> >> >> >scheduled, as you have described it this sounds
> >>> more
> >>> >> >> >like the service is not allowed to be started.
> >>> >> >> >
> >>> >> >> >So, let's check the permissions on the service.
> >>> >> >> >
> >>> >> >> >For this you will need to make a custom mmc
> >>> >> >> >console and load into it the two templates
> >>> >> >> >Security Configuration and Analysis
> >>> >> >> >and
> >>> >> >> >Security Templates
> >>> >> >> >
> >>> >> >> >You may do with with Start / Run  mmc and then
> >use
> >>> the
> >>> >> >> >Add/Remove Snap-in selection of the Console
> drop
> >>> menu
> >>> >> >> >When done you might want to save this as
> >>> WhatEver.msc
> >>> >> >> >in you administrative tools folder.
> >>> >> >> >
> >>> >> >> >Define some working directory somewhere.
> >>> >> >> >
> >>> >> >> >Now, open the Templates snap-in and in the r-
> >click
> >>> >> >> >context menu and add the working directory as
> a
> >new
> >>> >> >> >templates search path.  Then from the context
> >menu
> >>> >> >> >of the new path choose to make a new template,
> >>> >> >> >OK, you now have a blank template that does
> >>> nothing.
> >>> >> >> >
> >>> >> >> >Open the Sec Config & Analysis tool, r-click
> on
> >it
> >>> and
> >>> >> >> >select to open database, navigate to the
> working
> >>> dir
> >>> >> and
> >>> >> >> >give this new database some name .sdb  In the
> >>> process
> >>> >> >> >you will be prompted to choose a template.
> >Select
> >>> the
> >>> >> >> >one just made (and for the heck of it, check to
> >>> clear
> >>> >> the
> >>> >> >> >database during the import).
> >>> >> >> >
> >>> >> >> >Now, r-click on this tool's main node and
> >select to
> >>> >> >> analyze.
> >>> >> >> >
> >>> >> >> >When it has completed, navigate to the System
> >>> Services
> >>> >> >> node
> >>> >> >> >and highlight / dbl-click on the Task Scheduler
> >>> >> service.
> >>> >> >> >Click on the View Security button, dismiss the
> >>> notice
> >>> >> if
> >>> >> >> >you get one, then highlight the entry for
> >SYSTEM.
> >>> >> >> >Does it have Full Control ?
> >>> >> >> >
> >>> >> >> >Long road to here, but AFAIK this is the only
> >way
> >>> to
> >>> >> >> >see/change the ACL on a service.
> >>> >> >> >
> >>> >> >> >If it is not at Full Control it is worth
> trying
> >to
> >>> >> set it
> >>> >> >> >to have Full.  For this, dismissing the View
> >Perms
> >>> >> >> >windows, check to define this policy, then for
> >luck
> >>> >> >> >change the start mode to something else and
> >then to
> >>> >> >> >Automatic, and finally click Edit Security.  It
> >>> should
> >>> >> >> >have populated this with what you saw when
> >viewing
> >>> >> >> >security (that is the for luck part above).
> >>> >> >> >Highlight SYSTEM and grant Full.
> >>> >> >> >While here you may want to verify that
> >>> Administrators
> >>> >> >> >have Full Control also.
> >>> >> >> >
> >>> >> >> >Now, if you want look around elsewhere and you
> >>> >> >> >should find that there are no other setting
> >what-
> >>> so-
> >>> >> ever
> >>> >> >> >that this currently will enforce (if the new
> >>> template
> >>> >> >> >was a new one).
> >>> >> >> >
> >>> >> >> >R-click on the lead node of Sec Config &
> >Analysis
> >>> >> >> >and select to Apply this. When you do this,
> >since
> >>> the
> >>> >> >> >perms on Task Scheduler were populated from the
> >>> >> >> >existing, and there are no other settings in
> the
> >>> >> >> database,
> >>> >> >> >you are only changing the permission for
> SYSTEM
> >on
> >>> >> >> >the Task Scheduler service.  This is powerful
> >>> stuff,
> >>> >> so
> >>> >> >> >you never want to Apply a sec database unless
> >you
> >>> >> >> >fully understand all of the settings it
> >contains.
> >>> >> >> >
> >>> >> >> >When it is done you should see that the Task
> >Sched
> >>> >> >> >service is checkmarked as all OK and both
> >security
> >>> >> >> >dialogs show the same settings, with SYSTEM
> >Full.
> >>> >> >> >
> >>> >> >> >Before exiting your new tool, r-click on the
> top
> >>> node
> >>> >> >> >so Sec Config & Analysis and select to export
> >the
> >>> >> >> >template, saving it under its original or
> under
> >a
> >>> new
> >>> >> >> >name (which will leave the old one as a blank
> >>> template
> >>> >> >> >for future use).
> >>> >> >> >
> >>> >> >> >One heck of a lot of effort, but does the
> >service
> >>> now
> >>> >> >> >start when you use services.msc to try starting
> >>> it ?
> >>> >> >> >If not, then at least we have ruled this out
> as
> >a
> >>> >> cause.
> >>> >> >> >
> >>> >> >> >-- 
> >>> >> >> >Roger Abell
> >>> >> >> >Microsoft MVP (Windows Server System: Security)
> >>> >> >> >MCSE (W2k3,W2k,Nt4)  MCDBA
> >>> >> >> >
> >>> >> >> >"Les" <lnoland@xnet.com> wrote in message
> >>> >> >> >news:07f801c3b0f2$68081440$a301280a@phx.gbl...
> >>> >> >> >> I recently had to restore my system from
> >backup
> >>> and
> >>> >> >> ever
> >>> >> >> >> since, my Task scheduler service has not been
> >>> >> >> running.  I
> >>> >> >> >> tried starting it but I get an "error 5:
> >access
> >>> is
> >>> >> >> >> denied."  Can anyone please help me figure
> out
> >>> how
> >>> >> to
> >>> >> >> fix
> >>> >> >> >> this?
> >>> >> >> >>
> >>> >> >> >> I am running Windows XP Professional, Service
> >>> Pack
> >>> >> >> 1a.  I
> >>> >> >> >> tried reinstalling the service pack, but
> with
> >no
> >>> >> >> success.
> >>> >> >> >>
> >>> >> >> >> Thanks for any help you can offer.
> >>> >> >> >>
> >>> >> >> >>   - Les
> >>> >> >> >
> >>> >> >> >
> >>> >> >> >.
> >>> >> >> >
> >>> >> >
> >>> >> >
> >>> >> >.
> >>> >> >
> >>> >
> >>> >
> >>> >.
> >>> >
> >>
> >>
> >>.
> >>
> >.
> >