Python - Opening service with win32service returns Access Denied even as Administrator

Question

If I try to control or even open some services with all access through win32service.OpenService() (running as administrator) I get "pywintypes.error: (5, 'OpenService', 'Access is denied.')". However, controlling the same services from the Services console is successful. Why is that? Here is sample code to replicate the problem:

import win32service as ws


def get_handle(service_name):
    # service_name is the internal service name, not the display name.
    hSCManager = ws.OpenSCManager(None, None, ws.SC_MANAGER_ALL_ACCESS)
    return ws.OpenService(hSCManager, service_name, ws.SERVICE_ALL_ACCESS)


sh = get_handle("CertPropSvc")  # Certificate Propagation, same problem with
                                # BitLocker Drive Encryption Service (BDESVC)

All access includes all standard rights: modify the object's owner, read and modify the object's discretion security, and delete the object. If the service is owned by the Administrators group, then an admin implicitly has the to right read/modify the discretionary security, but by default an admin may not have the right to change the owner and delete the service without first modifying its security. It's unlikely you need either right for a system service. — Eryk Sun, Oct 14 '17 at 05:28
Refer to [Access Rights for a Service](https://msdn.microsoft.com/en-us/library/ms685981#Access_Rights_for_a_Service). Typically you want to request either the specific access rights that are required for a given operation or the corresponding generic right (`GENERIC_READ`, `GENERIC_WRITE`, `GENERIC_EXECUTE`). The table on that page shows how the service controller maps generic rights to sets of specific service rights. — Eryk Sun, Oct 14 '17 at 05:32

R01k · Answer 1 · 2017-10-18T01:05:23.640

Solved the problem by requesting lower permissions when opening SCM and the service:

import win32service as ws


def get_handle(service_name):
    # service_name is the internal service name, not the display name.
    # SC_MANAGER_CONNECT is enough.
    hSCManager = ws.OpenSCManager(None, None, ws.SC_MANAGER_CONNECT)
    # SERVICE_CHANGE_CONFIG is enough.
    return ws.OpenService(hSCManager, service_name, ws.SERVICE_CHANGE_CONFIG)


sh = get_handle("CertPropSvc")  # Certificate Propagation, BitLocker Drive
                                # Encryption Service (BDESVC) can also be used.

Python - Opening service with win32service returns Access Denied even as Administrator

1 Answers1