Granting Service Control Privileges for Inedo Product’s Web Applications

KB#1090: Last Updated November 14, 2019

IMPORTANT: using the built-in service command (i.e. ProGet.Service.exe AllowServiceControl) to allow service control has been deprecated because it does not work reliably on all versions of Windows, and may cause undesired affects (see troubleshooting).

Granting Service Control via subinacl.exe

  1. Download and install subinacl.msi from:
  2. Once installed, invoke the tool specifying the {service-name} and {user-account} as follows in an elevated command prompt or PowerShell window:

    &"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /service {service-name} /grant="{user-account}"=F

    Note: Common {user-account} values include: NT AUTHORITY\Network Service, domain\userName, and IIS APPPOOL\ProGet

  3. You should see output similar to the following:
    INEDOPROGETSVC : new ace for iis apppool\proget
    INEDOPROGETSVC : 1 change(s)
    Elapsed Time: 00 00:00:00
    Done:        1, Modified        1, Failed        0, Syntax errors        0

If the message does not indicate failure, the web application should now be able to control and transfer messages to and from the server.


If there are still problems with the service, it can be uninstalled and re-installed by running the service executable itself, for example:

&"C:\Program Files\ProGet\Service\ProGet.Service.exe" uninstall
&"C:\Program Files\ProGet\Service\ProGet.Service.exe" install

“Error granting service control privileges: Access is Denied” message:

Ensure the command prompt or PowerShell console is running as Administrator when attempting to re-install.

If that still doesn’t resolve the issue, see the guidance below to reset the ACL.

ADVANCED: Resetting the Service’s ACL

If that still doesn’t resolve the issue, the ACL may be malformed. The symptom of this is that the service doesn’t appear installed via a PowerShell Get-Service command, and it is not visible in the Service Control Manager.

The ACL can be reset with the following administrator PowerShell command that removes all ACEs from the service:

PS> Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\{service-name}\Security"

Once that registry key is deleted, this operation will require a reboot of the server that the product is installed on. After a reboot, the service should be able to be uninstalled and re-installed using the initial troubleshooting commands above, followed by running subinacl.exe as originally instructed.

Deprecated Method

Refer to this table – depending on which product you are using, enter the coinciding name, or abbreviation, into each space that has a red [product’s name] or [service].

The Inedo Product You’re Using [product’s name] [service]
BuildMaster bmservice
ProGet ProGet.Service
Otter Otter.Service

In order to be able to restart a Windows service, you normally need to be running as a machine administrator. However, it may not be desirable or even permitted to run the [product’s name] web application as an administrator account in your environment. This means that you will not be able to control the service using the web interface.

If you see a message similar to:

The [product’s name] web application does not have sufficient privileges to restart the [product’s name] service.

…then you will need to grant the user account which is running the web application permission to start and stop the service. The easiest way to do this is to navigate the command prompt to the service install directory (default: C:\[product’s name]\Service) and run the following command:

[service].exe AllowServiceControl /User=[WebAppUserName]

Where [WebAppUserName] is the user account which the [product’s name] web application is running under (the AppPool user for IIS).

Note that you must run this command as an administrator.