grant access to "network service"

Question

hi

I have a service, running under the "NT AUTHORITY\NETWORK SERVICE" and I have a registry key "HKLM\Software\Something\Whatever" for which I did set the permissions for "NT AUTHORITY\NETWORK SERVICE" to "full control".

Still... when I try to open it with "All Access", I get an "ERROR_ACCESS_DENIED".

But, when I set the permissions for "Everyone" to "full control" for this registry key... then my service can access it.

... why?

Rudolf

Answer 1

Because services running as "NETWORK SERVICE" don't really run as "NETWORK SERVICE" but they use a pseudo account called "NT SERVICE\<servicename>" ... or something like that... I've to investigate this a little bit further... but, it's more or less what the problem is...

Answer 2

Hello @Rudolf Meier

This is because the services accounts such as NETWORK or NT AUTHORITY does not behave in the same way when authenticating to specific containers of the operating system. Instead of granting the access for the account, you should add the account into a security group and then provide the access to that group in the registry chain.

From Administrative Tools > Computer Management, expand System Tools > Local Users and Groups > Groups.

Double-click the desired group (you may create a new group called Services Group, or similar) or just the Users group and click Add. Click Locations and select your computer node.

Then:
Type Network Service into the 'Enter the object names' OR Click Advanced, then Find Now and select it from the Search Results.

Hope this helps with your query,

-------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

On a Win 8.1 system I did was able to open a registry key under HKLM with KEY_ALL_ACCESS as the NetworkService account. Same results when tested on Win 10 21H1.

Registry Key and Permissions

Installed Service

Code for registry access

Eventlog entry