I have installed Service Security Editor and accidentally DENY one particular service for all users, including local administrator on my laptop. Now I am not able to start the service although I have tried to open from Service Security Editor.

Is there a way to grant the permission again in order to allow me to start the service again? I’m on Windows Server 2012 R2, if that matters.

— Charles

Hi Charles, sorry to hear that!

You won’t be able to access the service from any account or group where you applied the Deny permission. As Microsoft mentions in the confirmation window, the Deny directive is at the “top of the heap” and always takes precedence over Allow:

Here are a couple of ways to fix your problem:

Solution #1: Restore your Windows Service permissions from a new Administrator account

Did you deny access to the Administrators group?

If not, you can restore your permissions from a new administrator account in a few steps:

1. Create a new user account — best done from the Control Panel:

   

2. Change the account type to Administrator:

   

3. Login as the new user.

4. Start Service Security Editor and open your service. Select the account in the top panel, remove all the Deny entries and replace with Allow rights.

   For example:

   

After applying those changes, you should be able to access the service when you next log into your regular account.

Don’t forget to delete the new administrator account you created for this purpose!

Solution #2: Restore your Windows Service permissions from the SYSTEM account

The first solution will not work if you denied access to all administrators. No admin will be able to open the service.

Fortunately the all-powerful SYSTEM account will still be able to manipulate the service. But since you can’t simply sign in as the SYSTEM user and update the service’s permissions, you must take a less than direct approach using our popular AlwaysUp application:

1. Download and install AlwaysUp.

   Even though the software costs $49.99, you can use it for completely free for 30 days — more than enough time for you to restore the rights to your Windows Service.

2. Setup the command prompt to run as the SYSTEM user in AlwaysUp. To do so:

   1. Select Application > Add to open the “Add Application” window.

   2. In the Application field, enter the full path to the Windows command prompt executable, cmd.exe. On Windows Server 2012 R2 (and almost all other versions of Windows), this is:

      c:\windows\system32\cmd.exe

      

   3. Click the Save button to record your settings. An entry for Cmd should appear in the AlwaysUp window:

      

3. Select Application > Start “Cmd” in this session. In a second or two, a black command prompt window will appear on your desktop. It will be running in the context of the SYSTEM user.

4. From the command prompt window, type the full path to the Service Security Editor executable and hit enter. This will start a new instance of Service Security Editor on your desktop:

   

5. Open your service in Service Security Editor. Select the Administrators group in the top panel, remove all the Deny entries and add Allow rights.

   How about giving full control to all administrators?

   

6. Click the OK button to save the updated access rights.

7. And finally, now that your service is once again accessible, clean up:

   1. Close Service Security Editor.

   2. Switch to AlwaysUp and select Application > Stop”Cmd” to shut down the command prompt.

   3. Uninstall AlwaysUp.

Hopefully one of these methods will get you back on your feet Charles. If not, please don’t hesitate to get in touch again. There may be another trick or two up our sleeves. 🙂

And please be safe!

You may also like...

Q&A: Why won't AlwaysUp Start my Java Application?

Q&A: Does AlwaysUp Support Dropbox Selective Sync?

Q & A: Will Service Protector Start Automatically When My Server Reboots?