How to View and Modify Service Permissions in Windows

Summary: This article explains the various methods to view the permissions for any Service in Windows. It also covers the tools and methods to modify the service permissions easily.

Just as file system objects and registry keys have permissions, each service in Windows can have a set of permissions. The permission entries for a service determine who can stop the service, query its status, change the startup type, modify the service configuration, or delete the service.

You may have observed that the Start, Stop, and the Startup type controls are grayed out for some services, even when you’re logged in as an administrator.

And if you attempt to stop the Task Scheduler service from admin Command Prompt, you’ll get the following error message:

System error 5 has occurred.

Access is denied

This is because the Task Scheduler service permissions are pre-configured such that even the administrators can’t control this particular service.

In this article, we’ll see how to view service permissions and modify them if needed.

How to View the Service Permissions

There are many tools available to query the service permissions in Windows. Let’s see some of the methods.

Method 1: Using SC.EXE SDSHOW command-line

To view the permissions for a Service, use the following command-line (from admin Command Prompt) syntax:

sc.exe sdshow [service_short_name]

For Task Scheduler, the short name is schedule, as seen in the Task Scheduler service properties. So, this is the command you’d run:

sc.exe sdshow schedule

It returns a weird output (called “security descriptors”) that looks like the following:

D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The above output shows the Task Scheduler service’s permission entries in Security Descriptor Definition Language (SDDL) format.

The SDDL output can contain DACL as well as SACL entries. A DACL identifies users and groups who are allowed or denied access to an object. The SACL defines how access is audited on an object. SACL enables administrators to log attempts to access a secured object.

• In this article, let’s cover only the DACL (denoted by the D: at the beginning.) SACL is for a different purpose and is out of the scope of this article.

Security Descriptors meaning

So, here’s the meaning of the security descriptors for Task Scheduler service:

For more information, check out ACE Strings and Service Security and Access Rights at Microsoft Docs website.

The last two characters after the ACE strings represent the security principal assigned with these permissions.

Let’s see what rights the “built-in administrators” group has, as per this SDDL.

D:
(A;;CCLCSWLORC;;;AU)
(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCLCSWLORC;;;BU)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The built-in administrators (BA) group has the following rights:

As you can see, the BA group doesn’t have the permissions to stop (WP), change the service configuration (DC), or delete the service (SD).

Whereas the Local System account (SY) has full permissions:

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

As you see, the Local System user has the full permissions (SERVICE_ALL_ACCESS), and it can do anything with this service.

Alternate method: To stop, restart, or reconfigure the Task Scheduler service, you can use the Local System account. For more information on this topic, see the article How to Run a Program as SYSTEM (LocalSystem) Account in Windows. Likewise, for services owned by TrustedInstaller, you can start Command Prompt as TrustedInstaller to manage the service.

Method 2: Using Sysinternals AccessChk

Windows Sysinternals AccessChk tool can query the access rights (of specific users or groups) on files, directories, Registry keys, global objects, and Windows services.

To query the Task Scheduler service permissions using AccessChk, run this command from admin Command Prompt:

accesschk -c schedule -l

You’ll get an output like this:

schedule
  [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	READ_CONTROL
  [1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
	SERVICE_ALL_ACCESS
  [2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
	SERVICE_ALL_ACCESS
  [3] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	READ_CONTROL

The above is a neat representation of the SDDL (security descriptor) string you saw in Method 1.

Method 3: Using Sysinternals PsTools

Windows Sysinternals PsService (part of the PsTools suite) is a service viewer and controller for Windows. Like the SC utility, PsService displays the status, configuration, dependencies of a service, and allows you to start, stop, pause, resume and restart them.

To query the Task Scheduler service permissions using PsService.exe or PsService64.exe, run this command from admin Command Prompt:

psservice.exe security schedule

Here’s it what it outputted:

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
	ACCOUNT: LocalSystem
	SECURITY:
	[ALLOW] NT AUTHORITY\Authenticated Users
	        Query status
	        Query Config
	        Interrogate
	        Enumerate Dependents
	        Read Permissions
	[ALLOW] BUILTIN\Administrators
	        All
	[ALLOW] NT AUTHORITY\SYSTEM
	        All
	[ALLOW] BUILTIN\Users
	        Query status
	        Query Config
	        Interrogate
	        Enumerate Dependents
	        Read Permissions

As you can see above, the output generated by AccessChk and PsService utilities is very friendly, compared to the weird/cryptic security descriptor codes shown by the SC.exe command-line.

Method 4: Using SetACL.exe utility

The SetACL.exe utility (from Helge Klein) is an excellent command-line utility that can automate permissions in Windows. Using SetACL, you can view and change ownership and permissions for the file system, registry, printers, network shares, services, etc.

To view the permissions of a service (e.g., Task Scheduler service), run this command:

SetACL.exe -on "schedule" -ot srv -actn list

• -on  – ObjectName
• -ot – ObjectType
• -actn – Action to take

(For a complete list of command-line switches, check out the official SetACL.exe documentation at Helge’s site.)

You’ll see the following output (in friendly format):

schedule

DACL(not_protected):
Authenticated Users SERVICE_ENUMERATE_DEPENDENTS+SERVICE_INTERROGATE+SERVICE_QUERY_CONFIG+SERVICE_QUERY_STATUS+READ_CONTROL allow no_inheritance
Administrators start_stop+WRITE_OWNER+WRITE_DAC allow no_inheritance
SYSTEM full allow no_inheritance
Users SERVICE_ENUMERATE_DEPENDENTS+SERVICE_INTERROGATE+SERVICE_QUERY_CONFIG+SERVICE_QUERY_STATUS+READ_CONTROL allow no_inheritance

SetACL finished successfully.

View the SDDL

To view the permissions in SDDL format instead, run this command-line:

SetACL.exe -on "schedule" -ot srv -actn list -lst "f:sddl"

The output will be like below:

"schedule",2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPWPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)"

SetACL finished successfully.

Method 5: Using Sysinternals Process Explorer

The Process Explorer tool from Windows Sysinternals can be used to view (and edit) service permissions.

See section Using Process Explorer at the bottom of this article for more information.

Method 6: Using Service Security Editor

The Service Security Editor utility (third-party freeware) lets you view configure service permissions very easily.

See section Service Security Editor at the bottom of this article for more information.

How to Modify the service permissions

You can modify the service permissions using many ways. Let’s see some methods.

Method 1: Using SC SDSET command-line

The sc.exe sdshow command-line we’ve seen earlier in this article queries the service permissions. To modify the permissions for a service, you need the sc.exe sdset command-line argument.

To give administrators the full control permissions for the Task Scheduler service, you’d use this SDDL string:

D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

instead of the original one below:

D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

To apply the new SDDL for the Task Scheduler service, open an admin Command Prompt window and type this:

sc.exe sdset schedule D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

You should get the message [SC] SetServiceObjectSecurity SUCCESS in the output.

This grants the following additional permissions for the Administrators group:

That’s it. Now, the Administrators group can start, stop, query, change the configuration, or even delete the service.

The buttons and the startup type options in Task Scheduler properties are now available for Administrators.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[service_name]\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Security

Method 2: Using Sysinternals Process Explorer

If the service is currently running, you can use the Process Explorer tool (again, from Windows Sysinternals) to modify the service permissions.

1. First, open Task Manager to find the right svchost.exe (there will be many svchost.exe instances) that hosts the Task Scheduler service. For more information, check out the article How to View the Services Running Under Svchost.exe in Windows.
2. Launch Process Explorer as administrator.
3. Double-click the svchost.exe process (you can track by PID), which hosts the Task Scheduler service.
   
4. Click on the Permissions button.
   
5. In the Permissions dialog, click Advanced. This opens the Advanced Security Settings dialog for the service.
6. Select Administrators, and click Edit.
   
7. In the Permission Entry dialog, enable the required permission checkboxes accordingly. Note that the Administrators group has already the Change Permissions and Change Owner permissions for this service.
8. Enable Stop (SERVICE_STOP) and the Change Config (“SERVICE_CHANGE_CONFIG”) checkboxes.
9. Click OK, and close Process Explorer.

You can now fully control the Task Scheduler service as an administrator.

Method 3: Using Service Security Editor

Service Security Editor (ServiceSecurityEditor.exe), a digitally signed executable from Core Technologies Consulting, LLC, is a free standalone utility to view and set permissions for any Windows service easily. You can download the program from the following link:

https://www.coretechnologies.com/products/ServiceSecurityEditor/

Select the service from the list, and click Open…

This opens the Security settings dialog where you can set your required permissions for the chosen service.

Click OK, and click Done to save your settings.

Method 4: Using SetACL.exe utility

The SetACL.exe utility (from Helge Klein) is an excellent command-line utility that can automate permissions in Windows. Using SetACL, you can view and change ownership and permissions for the file system, registry, printers, network shares, services, etc.

To assign Administrators full control permissions (SERVICE_ALL_ACCESS) for a service (e.g., Task Scheduler), run this command:

SetACL.exe -on "schedule" -ot srv -actn ace -ace "n:administrators;p:full"

(where schedule is the short name for the Task Scheduler service)

• -on – Object Name
• -ot – Object Type
• -actn – Action to take
• -ace – set permissions/ACE
• n – Principal (Account or group name)
• p – Permissions
• full – full control permissions. For services, it means SERVICE_ALL_ACCESS.

(For a complete list of command-line switches, check out the official SetACL.exe documentation at Helge’s site.)

For services, SetACL supports only three permissions levels, namely start_stop, read, and full. Here are the details about each permission level:

Comparison: SDDL changes for Task Scheduler

[Before (Windows-default permission level)]
D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPWPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

[After assigning full control permissions for Administrators(BA)] D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The options in the Task Scheduler service properties dialog won’t be grayed out now.

Editor’s note: If you need to assign granular permissions (e.g., grant SERVICE_START but not SERVICE_STOP, or the other way) for a user or group, then SetACL may not be your best option. You can use one of the other methods described in this article.

SDDL – References

Here are some links to third-party articles where you can learn more about the SDDL strings.

Understanding SDDL Syntax | IT Connect:
https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/

Set permissions on a specific service (Windows) – My Notes to Myself and Others…:
https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

SDDL Explained | clan8blog:
https://clan8blog.wordpress.com/2016/08/08/sddl-explained/

Getting started with SDDL (Security Descriptor Definition Language) - lewisroberts.com:
https://www.lewisroberts.com/2010/09/16/getting-started-with-sddl/

Check Windows services status - what privilege do I need - Stack Overflow:
https://stackoverflow.com/questions/26724423/check-windows-services-status-what-privilege-do-i-need?lq=1

If you ask for STANDARD_RIGHTS_REQUIRED, you may as well ask for the moon | The Old New Thing:
https://devblogs.microsoft.com/oldnewthing/20080227-00/?p=23303

I hope the brief introduction to SDDL and the information to view and modify the Service permissions proved useful. Let’s know your comments.