Resetting the Discretionary Access Control List (DACL) in a Windows Service security descriptor

Resetting the Discretionary Access Control List (DACL) in a Windows Service security descriptor

OpenService FAILED 5: Access is denied. — “Oh crap!”

If you ever see this error and need to reset the DACL on a Windows service, let’s say in case you (or someone else) accidentally deletes it, or configure it to something that prevents you from reading it’s security settings, this might do the trick:
First of all, get a cup of coffee.
Download PsExec (a tool in PsTools), which among other things allow you  to run commands as the “local system” account.
Find out what the real name of the service is by looking in the following registry key:


The real name (not the display name) of the service is the name of the key itself.
Start a Command Prompt (cmd) window as administrator.
Start a new cmd session as the system account:

PsExec.exe /s cmd

Now it’s time to set a new DACL, this is done by using the command “sc sdset” followed by the service name and the new security descriptor using SDDL-format (Security Descriptor Definition Language). If you are unsure what parameters to use here, you can either run “sc sdshow” on another service that most likely are configured the same way as the service you are changing were, or try the command in the example below.
The command below will give access to Local System (SY), Built-in administrators (BA), Interactively logged-on user (IU) and Service logon user (SU).


You should be looking at the relieving message: [SC] SetServiceObjectSecurity SUCCESS
Now, enjoy your coffee 😉


YOU REALLY SAVE MY LIFE AND MY JOB! THANK YOU SO MUCH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *