Symptoms

Getting “System.ComponentModel.Win32Exception: Access is denied” on an ASP.NET website. Below is the complete exception details:

Exception Details: System.ComponentModel.Win32Exception: Access is denied

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

Stack Trace:
[Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.]
   System.ServiceProcess.ServiceController.GetDataBaseHandle() +297
   System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) +14
   System.ServiceProcess.ServiceController.GenerateStatus() +103
System.ServiceProcess.ServiceController.get_Status() +10 
   Mine.Page_Load(Object sender, EventArgs e) +26
   System.EventHandler.Invoke(Object sender, EventArgs e) +0
   System.Web.UI.Control.OnLoad(EventArgs e) +67
   System.Web.UI.Control.LoadRecursive() +35
   System.Web.UI.Page.ProcessRequestMain() +750

And, we see the below Failure Audit in the Security Event log:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  1/26/2010
Time:  4:10:08 PM
User:  servername\username
Computer: servername
Description:
Object Open:
  Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
  Object Name: ServicesActive
  Handle ID: -
  Operation ID: {0,579955549}
  Process ID: 440
  Image File Name: C:\WINDOWS\system32\services.exe
  Primary User Name: servername$
  Primary Domain: WORKGROUP
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: username
  Client Domain: servername 
  Client Logon ID: (0x0,0x225DC742)
  Accesses: Connect to service controller
   Enumerate services
  Privileges: -
  Restricted Sid Count: 0
  Access Mask: 0x5

Cause

Found that this is due to a DACL problem with the SCManager object

Resolution

We modified the DACL for SCManager object by running below command:

SC SDSET SCMANAGER D:(A;;CCLCRPRC;;;WD)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

DACL was originally D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) which didn’t include the local users group to have permissions to query the SCM object, and hence the failure of the code trying to query the status of the aspnet_state service.

More Information

You can also try querying the DACL information just for the service the code is using. In my case, customer was trying to query the "aspnet_state" service and was failing with the above problem.

Related Blog

Web Service can’t start the Windows Service

http://blogs.msdn.com/winsdk/archive/2009/11/18/web-service-can-t-start-the-windows-service.aspx