Starting Windows service as anything but Administrator gives 'Access denied'

Question

I'm installing a Windows service that I'm developing. It's set to run as the Network Service. When I attempt to start this service, I get a message box telling me that access is denied. However, the Network Service does have access to the executable, and the entire directory it is contained in.

I've also tried starting the service as Local Service and Local System, but I receive the same error with both. I don't receive any error and the service starts as expected if I run it as Administrator (which is also the account I'm logged in to).

I've looked in the event log, but there is only one entry, containing the same information: 'Access is denied.'

I checked procmon to see what it was trying to access, and to my surprise, access is being denied when the service manager tries to open my executable; even though it has full access.

Why is access to the executable denied? Below are screenshots of the executable's permissions, procmon's output when I try to start the service, and the details of the first CreateFile that gave ACCESS DENIED.

Answer 1

The problem was actually that the service executable was encrypted with EFS; the error code (access denied) threw me off.

The service was being output to a folder that was inadvertently encrypted, so when I copied the service out to the install location, it remained encrypted. Once I unchecked the 'Encrypt contents to secure data' check box in the file's properties, the service correctly started for all users.

This explains why the service would only start as the current user, and not any of the system users, including the privileged 'Local System' account.