Windows administrators can spend a massive amount of time poring over logs and investigating error messages. Trying to figure out why Windows is throwing certain errors can be frustrating and time consuming. I was reminded of this frustration recently in helping a customer with a Windows service that would not start. The error received when attempting to start the service was “access denied“. He had done all of the basic troubleshooting steps of looking through logs and making sure the user being assigned to the service had the “log on as a service” right and other permissions simply to affect the behavior of what he was seeing. He had spent hours in troubleshooting the issue. However, as we worked together on the issue, I pulled out a trusty tool that I have often use with troubleshooting Windows access denied errors – Process Monitor. Let’s take a closer look at Troubleshooting Windows Access Denied Errors with Process Monitor and see how this powerful little tool can allow you to find the source of the error in minutes if not quicker.
What is Process Monitor?
If you are creating a file or folder in a certain location and receive an “access denied” error, you know at least where the problem lies. However, on other more obscure processes or service related errors it can sometimes be difficult to quickly pinpoint the source of the error – what resource is having permissions issues or what location is my user not able to write, create, or modify?
Process Monitor is one of the trusty Sysinternals tools provided by Microsoft. In case you have not already heard about Process Monitor, it is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity and is the combination of two older tools released from Sysinternals called Filemon and Regmon. What I like about the tool is that it provides basically a real-time trace of all the file and process activity on your workstation/server that can allow easily identifying problems and other issues in a way that can cut troubleshooting time tremendously.
- Download it here: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Various features of Process Monitor include:
- Powerful filtering capabilities
- Capturing of thread stacks
- Capture of process details
- Intuitive display includes moveable columns
- Advanced logging
- Built-in process tree gives detailed information regarding the relationship of all processes
- Native log format that allows importing and exporting between Process Monitor instances
- Detailed tooltips
- Boot time logging of all operations
As you can tell from the list, which isn’t all inclusive, Process Monitor packs quite a punch in a small package and is definitely a worthy tool to add to your troubleshooting tool belt if you haven’t already. Let’s take a look at “access denied” troubleshooting with Process Monitor as this is an often overlooked strength of the tool aside from general process monitoring.
Troubleshooting Windows Access Denied Errors
To proactively simulate an “access denied” situation in Windows, i have created a folder on a test server and explicitly added a Deny permission for the local Administrator’s group containing a user that I am logged into the server with. Note, when I attempt to create a new file or folder, I receive an “access denied” error as expected. To illustrate the power of Process Monitor, let’s perform some troubleshooting with the utility.
When you download the Process Monitor utility, it is a small .zip file containing the required files. What I like as well is that it is a self contained executable, so no installation is required. The download at the time of this writing is 981 KB, so it is a very small footprint. Simply unzip the file, and run the executable.
You will see the interface that looks like the following. When you launch it, Process Monitor will immediately start gathering information on all running processes and other system activity.
Under the File menu, you will find the Capture Events menu option. By default this is selected. You can click or unclick the option to capture events. This is handy when you want to have only as little information as possible displayed in the Process Monitor display when troubleshooting an event. I like to stop the capture, clear the display, and then have the error ready to reproduce. Quickly enable the Capture Events option and produce the error and then disable the capture of events again. This way you only have information that is relative to the error captured.
Under the Edit menu, the Clear Display option clears the current captured information.
After capturing your information, you can easily use the Edit >> Find option to find certain keywords.
Here I have reproduced the “access denied” error by trying to create a new folder item. After disabling the capture, I am searching for denied which should contain the error.
Sure enough, I see the resulting ACCESS DENIED found in Process Monitor. Great!
The above demonstration, of course doesn’t really showcase the ability of Process Monitor like a real world scenario. In the case mentioned in the outset, when setting a logon user for a service, the error was “access denied”. We didn’t know what the user was being denied access too. Sure there is Audit Monitoring and other ways in Windows that you can get to the bottom of various errors, however, Process Monitor takes the complexity out of the equation and allows you to efficiently and effectively perform powerful troubleshooting.
Process Monitor is a great utility to get to know and add to your troubleshooting tools. It certainly comes in handy when troubleshooting more obscure issues such as “access denied” errors and other use cases such as doing more in depth process digging. Be sure to check out Process Monitor and other Sysinternal utilities as they provide great value and are free!