Using SC.exe to set service credentials password fails

Question

I know this question has been asked in the past, but a satisfactory answer has not been provided.

I am using the SC command to config the credentials for a service.

SC.exe config "SERVICE NAME" obj= "domain\user" password= "password"

This completes successfully, but when I start the service, it fails to perform the login.
[NET START "service name"]

If I manually update ONLY the password from the services.msc, then when I start the service it works fine.

I have hundreds of servers to update this change occurs in the middle of a deployment, so manual intervention is NOT an option.

I have tried using the config to update the login account and then another config command for the password.

From all accounts, the SC.exe does not work for passwords and Microsoft has NO help.

IDEAS?

Does password contain any special characters, like (,),',",$,>, — seva titov, Jan 19 '13 at 17:42
I was able to use sc.exe to set password many times. You just need to get the password coded righ. Any other special characters besides '@' and '&'? E.g. '%' needs a special treatments: http://stackoverflow.com/questions/10296162/escaping-special-characters-in-cmd — seva titov, Jan 21 '13 at 21:57

ericbn · Answer 1 · 2017-02-08T19:16:09.860

8

Besides stopping the service before making the changes, and granting the user permission to logon as a service, I also had to add the type= own parameter, otherwise it would fail with:

[SC] ChangeServiceConfig FAILED 87:

The parameter is incorrect

So this is the command that worked:

SC.EXE config "ServiceName" type= own obj= "domain\user" password= "password"

It even worked with special characters in the password, given I had the password between double brackets.

edited Feb 08 '17 at 19:16

answered Feb 08 '17 at 19:09

ericbn

9,027
3
42
50

type =own has no effect for me. SC command does not complain with or without "type =own". The problem is that after successfully creating the service, the service fails to start due to log on issues. Log on a service permission was granted to the user account. – Faustas May 05 '22 at 21:57

Rich K · Answer 2 · 2016-10-05T20:35:24.653

7

When you configure a service to run under a specific account via the normal route from the service properties windows automatically grants the account the log in as service right. When you use sc.exe you also have to grant the user the log on as service right.

Log On As Service Right

edited Oct 05 '16 at 20:35

answered Apr 18 '14 at 18:33

Rich K

71
1
4

score 2 · Answer 3 · answered Sep 23 '16 at 14:57

Before restarting services, you should grant your user permission to logon as a service. Unfortunately, no way to do it from command line with default windows tools, but you can use small additional util ntright.exe from Windows Server 2003 Resource Kit Tools.

Download it from https://www.microsoft.com/en-us/download/details.aspx?id=17657

After installation you'll get a lot of tools in C:\Program Files (x86)\Windows Resource Kits\Tools (or in Program Files on 32bit machine).

You need ntrights.exe. You can copy it and run from any place on another host.

To grant your user required permission, you should add to your script:

ntrights.exe +r SeServiceLogonRight -u "%DOMAIN%\%USER%"

After that you can successfully restart services with a new user. Also there is an option to run ntrights.exe on remote host:

ntrights.exe +r SeServiceLogonRight -u "%DOMAIN%\%USER%" -m %HOSTNAME%

This tool helps me very much when I need reconfigure a lot of hosts remotely.

score 1 · Answer 4 · answered Dec 16 '19 at 22:27

1

To enable log on as a service via script I've written this, you can use it as is or pull out what is useful to you

https://raw.githubusercontent.com/cdaf/windows/master/automation/provisioning/setServiceLogon.ps1

answered Dec 16 '19 at 22:27

Jules Clements

368
3
8

score 0 · Answer 5 · answered Mar 23 '14 at 18:26

0

Try to stop the service before setting up the password:

sc.exe stop "<my_service>" 4:4:3
sc.exe config "<my_service>" obj= "\.<local_acc_name>" password= "<local_acc_pass>"
sc.exe start "<my_service>"

answered Mar 23 '14 at 18:26

user3452718

1

score 0 · Answer 6 · edited May 23 '17 at 12:25

0

I had this issue. Thanks to ST's comment on the original post, I realized I needed to research how to type the password. In my case, I needed to double up the percent sign (%%) in the password.

The link ST provided is helpful: Escaping special characters in cmd.

edited May 23 '17 at 12:25

Community

1
1

answered Dec 12 '14 at 19:58

Mark Berry

16,153
4
56
85

score 0 · Answer 7 · answered Apr 08 '15 at 07:40

Run against this problem while doing some Powershell scripting and the issue in my case was the special characters in the password.

Got it working by storing the password in a variable with double quotes around it:

$servicePassword = "`"passwordWithSpecialCharacters`"" cmd /c sc config myService obj= mydomain\myuser password= $servicePassword

Special characters are:

()'"$><^?

score 0 · Answer 8 · answered Aug 23 '16 at 15:55

Try This. Start menu - type "local security policy" without the quotes. Open the "Local Policies", then left-click on "User Rights Assignment". On the right panel, right-click on "Log on as a service", and select "Properties". Click on "Add User or Group" and add your user. Click OK. You might have to reboot your machine.

After adding you can set the user name and password for the service in cmd.

Using SC.exe to set service credentials password fails

8 Answers8

Linked