How to View and Modify Service Permissions in Windows

Summary: This article explains the various methods to view the permissions for any Service in Windows. It also covers the tools and methods to modify the service permissions easily.

Just as file system objects and registry keys have permissions, each service in Windows can have a set of permissions. The permission entries for a service determine who can stop the service, query its status, change the startup type, modify the service configuration, or delete the service.

You may have observed that the Start, Stop, and the Startup type controls are grayed out for some services, even when you’re logged in as an administrator.

task scheduler service grayed out options

And if you attempt to stop the Task Scheduler service from admin Command Prompt, you’ll get the following error message:

System error 5 has occurred.

Access is denied

service stop error 5 - view and edit service permissions

This is because the Task Scheduler service permissions are pre-configured such that even the administrators can’t control this particular service.

In this article, we’ll see how to view service permissions and edit them if needed.

Contents

    1. View service permissions
    2. Modify service permissions

Editor’s choice: PsService & Service Security Editor.

tips bulb iconThe built-in SC.exe command/method requires you to first understand the SDDL format before you can interpret or modify the service permissions. You don’t need to know the complicated SDDL language if you follow the other methods.

Important

The permissions levels of the built-in services (e.g., Task Scheduler) are not meant to be modified arbitrarily by the user. Task Scheduler service has been used as an example in this article to illustrate how the service permissions can be viewed and modified.

However, you can use this information to configure a custom or 3rd party service as per your requirements.

How to View the Service Permissions

There are many tools available to query the service permissions in Windows. Let’s see some of the methods.

Method 1: Using SC.EXE SDSHOW command-line

To view the permissions for a Service, use the following command-line (from admin Command Prompt) syntax:

sc.exe sdshow [service_short_name]

For Task Scheduler, the short name is schedule, as seen in the Task Scheduler service properties. So, this is the command you’d run:

sc.exe sdshow schedule

sc sdshow sddl - view and edit service permissions

It returns a weird output (called “security descriptors”) that looks like the following:

D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The above output shows the Task Scheduler service’s permission entries in Security Descriptor Definition Language (SDDL) format.

The SDDL output can contain DACL as well as SACL entries. A DACL identifies users and groups who are allowed or denied access to an object. The SACL defines how access is audited on an object. SACL enables administrators to log attempts to access a secured object.

  • In this article, let’s cover only the DACL (denoted by the D: at the beginning.) SACL is for a different purpose and is out of the scope of this article.

Security Descriptors meaning

So, here’s the meaning of the security descriptors for Task Scheduler service:

D: Discretionary ACL (DACL)
S: System Access Control List (SACL)

 

ACE type Meaning
A Access Allowed

 

ACE flags string Meaning
CC SERVICE_QUERY_CONFIG Query the SCM for the service configuration
LC SERVICE_QUERY_STATUS Query the SCM the current status of the service
SW SERVICE_ENUMERATE_DEPENDENTS List dependent services
LO SERVICE_INTERROGATE Query the service its current status
RC READ_CONTROL Query the security descriptor of the service
RP SERVICE_START Start the service
DT SERVICE_PAUSE_CONTINUE Pause/Resume the service
CR SERVICE_USER_DEFINED_CONTROL
WD WRITE_DAC Change the permissions of the service
WO WRITE_OWNER Change the owner in the object’s security descriptor.
WP SERVICE_STOP Stop the service
DC SERVICE_CHANGE_CONFIG Change service configuration
SD DELETE The right to delete the service

For more information, check out ACE Strings and Service Security and Access Rights at Microsoft Docs website.

The last two characters after the ACE strings represent the security principal assigned with these permissions.

Abbreviation Security Principal
AU Authenticated Users
BA Built-in administrators
SY Local System
BU Built-in users
WD Everyone

Let’s see what rights the “built-in administrators” group has, as per this SDDL.

D:
(A;;CCLCSWLORC;;;AU)
(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCLCSWLORC;;;BU)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The built-in administrators (BA) group has the following rights:

ACE flags string
CC SERVICE_QUERY_CONFIG Query the SCM for the service configuration
LC SERVICE_QUERY_STATUS Query the SCM the current status of the service
SW SERVICE_ENUMERATE_DEPENDENTS List dependent services
LO SERVICE_INTERROGATE Query the service its current status
RC READ_CONTROL Query the security descriptor of the service
RP SERVICE_START Start the service
DT SERVICE_PAUSE_CONTINUE Pause/Resume the service
CR SERVICE_USER_DEFINED_CONTROL
WD WRITE_DAC Change the permissions of the service
WO WRITE_OWNER Change the ownership of the service

As you can see, the BA group doesn’t have the permissions to stop (WP), change the service configuration (DC), or delete the service (SD).

Whereas the Local System account (SY) has full permissions:

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
ACE flags string
CC SERVICE_QUERY_CONFIG Query the SCM for the service configuration
LC SERVICE_QUERY_STATUS Query the SCM the current status of the service
SW SERVICE_ENUMERATE_DEPENDENTS List dependent services
LO SERVICE_INTERROGATE Query the service its current status
RC READ_CONTROL Query the security descriptor of the service
RP SERVICE_START Start the service
DT SERVICE_PAUSE_CONTINUE Pause/Resume the service
CR SERVICE_USER_DEFINED_CONTROL
WD WRITE_DAC Change the permissions of the service
WO WRITE_OWNER Change the ownership of the service
WP SERVICE_STOP Stop the service
DC SERVICE_CHANGE_CONFIG Change service configuration
SD DELETE The right to delete the service

As you see, the Local System user has the full permissions (SERVICE_ALL_ACCESS), and it can do anything with this service.

tips bulb iconAlternate method: To stop, restart, or reconfigure the Task Scheduler service, you can use the Local System account. For more information on this topic, see the article How to Run a Program as SYSTEM (LocalSystem) Account in Windows. Likewise, for services owned by TrustedInstaller, you can start Command Prompt as TrustedInstaller to manage the service.


Method 2: Using Sysinternals AccessChk

Windows Sysinternals AccessChk tool can query the access rights (of specific users or groups) on files, directories, Registry keys, global objects, and Windows services.

To query the Task Scheduler service permissions using AccessChk, run this command from admin Command Prompt:

accesschk -c schedule -l

You’ll get an output like this:

schedule
  [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	READ_CONTROL
  [1] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
	SERVICE_ALL_ACCESS
  [2] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
	SERVICE_ALL_ACCESS
  [3] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
	SERVICE_QUERY_STATUS
	SERVICE_QUERY_CONFIG
	SERVICE_INTERROGATE
	SERVICE_ENUMERATE_DEPENDENTS
	READ_CONTROL

The above is a neat representation of the SDDL (security descriptor) string you saw in Method 1.


Method 3: Using Sysinternals PsTools

Windows Sysinternals PsService (part of the PsTools suite) is a service viewer and controller for Windows. Like the SC utility, PsService displays the status, configuration, dependencies of a service, and allows you to start, stop, pause, resume and restart them.

To query the Task Scheduler service permissions using PsService.exe or PsService64.exe, run this command from admin Command Prompt:

psservice.exe security schedule

Here’s it what it outputted:

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
	ACCOUNT: LocalSystem
	SECURITY:
	[ALLOW] NT AUTHORITY\Authenticated Users
	        Query status
	        Query Config
	        Interrogate
	        Enumerate Dependents
	        Read Permissions
	[ALLOW] BUILTIN\Administrators
	        All
	[ALLOW] NT AUTHORITY\SYSTEM
	        All
	[ALLOW] BUILTIN\Users
	        Query status
	        Query Config
	        Interrogate
	        Enumerate Dependents
	        Read Permissions

psservice64 view service permissions

As you can see above, the output generated by AccessChk and PsService utilities is very friendly, compared to the weird/cryptic security descriptor codes shown by the SC.exe command-line.


Method 4: Using SetACL.exe utility

The SetACL.exe utility (from Helge Klein) is an excellent command-line utility that can automate permissions in Windows. Using SetACL, you can view and change ownership and permissions for the file system, registry, printers, network shares, services, etc.

To view the permissions of a service (e.g., Task Scheduler service), run this command:

SetACL.exe -on "schedule" -ot srv -actn list
  • -on  – ObjectName
  • -ot – ObjectType
  • -actn – Action to take

(For a complete list of command-line switches, check out the official SetACL.exe documentation at Helge’s site.)

You’ll see the following output (in friendly format):

schedule

DACL(not_protected):
Authenticated Users SERVICE_ENUMERATE_DEPENDENTS+SERVICE_INTERROGATE+SERVICE_QUERY_CONFIG+SERVICE_QUERY_STATUS+READ_CONTROL allow no_inheritance
Administrators start_stop+WRITE_OWNER+WRITE_DAC allow no_inheritance
SYSTEM full allow no_inheritance
Users SERVICE_ENUMERATE_DEPENDENTS+SERVICE_INTERROGATE+SERVICE_QUERY_CONFIG+SERVICE_QUERY_STATUS+READ_CONTROL allow no_inheritance

SetACL finished successfully.

View the SDDL

To view the permissions in SDDL format instead, run this command-line:

SetACL.exe -on "schedule" -ot srv -actn list -lst "f:sddl"

The output will be like below:

"schedule",2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPWPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)"

SetACL finished successfully.

Method 5: Using Sysinternals Process Explorer

The Process Explorer tool from Windows Sysinternals can be used to view (and edit) service permissions.

modify service permissions using process explorer

See section Using Process Explorer at the bottom of this article for more information.


Method 6: Using Service Security Editor

The Service Security Editor utility (third-party freeware) lets you view configure service permissions very easily.

Service Security Editor - service permissions view and modify

See section Service Security Editor at the bottom of this article for more information.


How to Modify the service permissions

You can modify the service permissions using many ways. Let’s see some methods.



Method 1: Using SC SDSET command-line

The sc.exe sdshow command-line we’ve seen earlier in this article queries the service permissions. To modify the permissions for a service, you need the sc.exe sdset command-line argument.

To give administrators the full control permissions for the Task Scheduler service, you’d use this SDDL string:

D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

instead of the original one below:

D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

To apply the new SDDL for the Task Scheduler service, open an admin Command Prompt window and type this:

sc.exe sdset schedule D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

You should get the message [SC] SetServiceObjectSecurity SUCCESS in the output.

sc sdset sddl - view and edit service permissions

This grants the following additional permissions for the Administrators group:

WP SERVICE_STOP Stop the service
DC SERVICE_CHANGE_CONFIG Change service configuration
SD DELETE The right to delete the service

That’s it. Now, the Administrators group can start, stop, query, change the configuration, or even delete the service.

sc sdset sddl - view and edit service permissions

The buttons and the startup type options in Task Scheduler properties are now available for Administrators.

scheduler service button grayed out - view and edit service permissions

Quick Tip: The permissions for a service are stored in this registry key, in a REG_BINARY value named Security:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[service_name]\Security

For example, the Task Scheduler service security info is stored here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Security

Method 2: Using Sysinternals Process Explorer

If the service is currently running, you can use the Process Explorer tool (again, from Windows Sysinternals) to modify the service permissions.

  1. First, open Task Manager to find the right svchost.exe (there will be many svchost.exe instances) that hosts the Task Scheduler service. For more information, check out the article How to View the Services Running Under Svchost.exe in Windows.
  2. Launch Process Explorer as administrator.
  3. Double-click the svchost.exe process (you can track by PID), which hosts the Task Scheduler service.
    modify service permissions using process explorer
  4. Click on the Permissions button.
    modify service permissions using process explorer
  5. In the Permissions dialog, click Advanced. This opens the Advanced Security Settings dialog for the service.
  6. Select Administrators, and click Edit.
    modify service permissions using process explorer
  7. In the Permission Entry dialog, enable the required permission checkboxes accordingly. Note that the Administrators group has already the Change Permissions and Change Owner permissions for this service.
  8. Enable Stop (SERVICE_STOP) and the Change Config (“SERVICE_CHANGE_CONFIG”) checkboxes.
  9. Click OK, and close Process Explorer.

You can now fully control the Task Scheduler service as an administrator.


Method 3: Using Service Security Editor

Service Security Editor (ServiceSecurityEditor.exe), a digitally signed executable from Core Technologies Consulting, LLC, is a free standalone utility to view and set permissions for any Windows service easily. You can download the program from the following link:

https://www.coretechnologies.com/products/ServiceSecurityEditor/

Select the service from the list, and click Open…

Service Security Editor - service permissions view and modify

This opens the Security settings dialog where you can set your required permissions for the chosen service.

Service Security Editor - service permissions view and modify

Click OK, and click Done to save your settings.


Method 4: Using SetACL.exe utility

The SetACL.exe utility (from Helge Klein) is an excellent command-line utility that can automate permissions in Windows. Using SetACL, you can view and change ownership and permissions for the file system, registry, printers, network shares, services, etc.

To assign Administrators full control permissions (SERVICE_ALL_ACCESS) for a service (e.g., Task Scheduler), run this command:

SetACL.exe -on "schedule" -ot srv -actn ace -ace "n:administrators;p:full"

setacl.exe service permissions

(where schedule is the short name for the Task Scheduler service)

  • -on – Object Name
  • -ot – Object Type
  • -actn – Action to take
  • -ace – set permissions/ACE
  • n – Principal (Account or group name)
  • p – Permissions
  • full – full control permissions. For services, it means SERVICE_ALL_ACCESS.

(For a complete list of command-line switches, check out the official SetACL.exe documentation at Helge’s site.)

For services, SetACL supports only three permissions levels, namely start_stop, read, and full. Here are the details about each permission level:

read

  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_USER_DEFINED_CONTROL
  • READ_CONTROL

start_stop

  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • SERVICE_PAUSE_CONTINUE
  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_START
  • SERVICE_STOP
  • SERVICE_USER_DEFINED_CONTROL
  • READ_CONTROL

full

  • SERVICE_CHANGE_CONFIG
  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • SERVICE_PAUSE_CONTINUE
  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_START
  • SERVICE_STOP
  • SERVICE_USER_DEFINED_CONTROL
  • READ_CONTROL
  • WRITE_OWNER
  • WRITE_DAC DELETE

Comparison: SDDL changes for Task Scheduler

[Before (Windows-default permission level)]
D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPWPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

[After assigning full control permissions for Administrators(BA)] D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The options in the Task Scheduler service properties dialog won’t be grayed out now.

scheduler service button grayed out - view and edit service permissions

Editor’s note: If you need to assign granular permissions (e.g., grant SERVICE_START but not SERVICE_STOP, or the other way) for a user or group, then SetACL may not be your best option. You can use one of the other methods described in this article.

SDDL – References

Here are some links to third-party articles where you can learn more about the SDDL strings.

Understanding SDDL Syntax | IT Connect:
https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/

Set permissions on a specific service (Windows) – My Notes to Myself and Others…:
https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

SDDL Explained | clan8blog:
https://clan8blog.wordpress.com/2016/08/08/sddl-explained/

Getting started with SDDL (Security Descriptor Definition Language) - lewisroberts.com:
https://www.lewisroberts.com/2010/09/16/getting-started-with-sddl/

Check Windows services status - what privilege do I need - Stack Overflow:
https://stackoverflow.com/questions/26724423/check-windows-services-status-what-privilege-do-i-need?lq=1

If you ask for STANDARD_RIGHTS_REQUIRED, you may as well ask for the moon | The Old New Thing:
https://devblogs.microsoft.com/oldnewthing/20080227-00/?p=23303

I hope the brief introduction to SDDL and the information to view and modify the Service permissions proved useful. Let’s know your comments.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

Leave a Comment