4

After applying this "solution" I have no way of starting the spooler service, not even as Admin.

If I open services.msc as Administrator, that service has disappeared, as noted here (I wish I found that before).

How can I reset permissions for the spooler service?

Community
  • 1
Yajo
  • 292
  • 2
  • 3
  • 8

2 Answers2

7

The SYSTEM security context can reset it. You don't mention your Windows version, but in Windows Server 2008 and newer versions it can be a bit difficult to get a SYSTEM command prompt. It's very easy, though, to get the "Task Scheduler" in all versions of Windows to run a command as SYSTEM.

  • Dump the security descriptor from a known-good machine using the sc sdshow spooler command.

  • Create a scheduled task on the broken machine to run the command %SystemRoot%\system32\sc.exe with the arguments sdset spoooler <paste good security descriptor here>.

  • Set the task to run as SYSTEM

  • Manually run the task

Your service's security descriptor will be restored to normal.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 2
    I found easier [to use `PsExec`](http://cloud.kemta.net/2013/01/resetting-the-discretionary-access-control-list-dacl-in-a-windows-service-security-descriptor/). The full command was `PsExec.exe /s sc sdset spooler D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)`. – Yajo Nov 21 '14 at 08:27
0

In addition to Evan's Task Scheduler method, I also had to

  1. Remove the following registry key (folder)

    HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security

enter image description here

  1. Reboot the server
KERR
  • 365
  • 3
  • 8