A privilege that the service requires to start doesn't exist in the Service Account
Super User Asked by Omair Nabiel on November 4, 2021
Using CarbonDLLs and sc config I am able to grant the user Logon As Service rights and also able to add the user as the Services’ Log on as account.
Previously I was getting Logon Failure but after using carbon and powershell script I was able to remove that error by granting Logon as Service permission to the account.
But now when I start the service I get the following error:
A privilege that the service requires to start does not exist in the Service Account....
For Service Account I’m using a user account from AD which is also added as a Local Administrator on the server on which I am changing the services’ log on as account.
For testing I was changing the Logon As Account of Themes service which by default runs under the Local System Account. I don’t want to run it under Local System but under the Account Ive assigned
One Answer
Members of the local group Administrators have many privileges, but definitely not all. One of those extra privileges is the one you already set: Logon as a service. You can find and manage all privileges in the Local Security Settings MMC snap-in (secpol.msc) under Security Settings > Local Policies > User Rights Assignment:
As you can see, not all (allowing) rights contain the Administrators group. If everything worked well, you will already see your domain user under Logon as a service. If not, add it now. This is the minimum requirement for a user account to run an executable1 as a service.
Running the Themes service of course also needs the Logon as a service right. But as you observed - for this service - it is not enough. This particular service also needs the Replace a process level token right. Btw., to learn more about a particular right, just open it and navigate to the Explain tab:
So, in conclusion, to run the Themes service under your domain user, add this account to the Logon as a service and Replace a process level token policies.
A recommendation: Please do not add a user to every allowing policy, to "make things work". This may impose serious security flaws.
How can I find out which privileges a particular service needs?
As Windows services have to implement the Windows services API, they will contain a SERVICE_REQUIRED_PRIVILEGES_INFOA structure. This contains a list of all required privileges. You can use this C++ code to query this info. Alternatively, you can download the SystemExtensions module for PowerShell and use the Get-ServiceConfig cmdlet:
Get-ServiceConfig Themes | Select-Object -ExpandProperty Privileges
Output:
SeAssignPrimaryTokenPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
You can then use this documentation to translate these privileges into the policy names (same order as above):
- Replace a process level token
- Debug programs
- Impersonate a client after authentication
1 Keep in mind that not all executables can be run as a service, as they have to implement the Windows services API at least.
Answered by stackprotector on November 4, 2021
Add your own answers!
Ask a Question
Get help from others!
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?
Recent Answers
- Peter Machado on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Jon Church on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?