Can't stop/start service on Windows 11 Pro system

[Jemboy]

I have a Windows 11 Pro computer (used in Workgroup instead of domain).
Sometimes I have to restart the print spooler to clear some wrong print in the queue.

By running a terminal as administrator, I can stop and start the "spooler" with:

net stop spooler
net start spooler

However when I try to do "the same thing" with AutoIt, 
I can't get the "Spooler" service to stop.
I am using the following code:

Local $sUserName = "admin"
Local $sPassword = "********"

Local $sRunner = @ComSpec & " /c " & 'net stop spooler'

; Run a command prompt as another user.
Local $pid = RunAsWait($sUserName, @ComputerName, $sPassword, 0, $sRunner, @SystemDir, @SW_HIDE )

I have had it working in the past on Windows 2003/2008/2012 joined to a domain.
I really have no clue why this is not working.
Does anyone has some tips for me ?

[ioa747]

#RequireAdmin ;?

 

[Jemboy]

Added #RequireAdmin to the script, but the service still won't stop  when running the script.
The account I am using for the Runaswait is the default local admin account for this computer.

 

From another topic: I also tried 
#pragma compile(ExecLevel, requireAdministrator)

Alas this also did not work.

 

Changet the /c to /k. Now I see the terminal when running the script.
The message displayed by the RunasWait is: System Error 5.   Access Denied.

Edited May 14 by Jemboy

[ioa747]

#RequireAdmin

;~ net stop spooler
;~ net start spooler

Local $sMsg = _cmd("net stop spooler")
ConsoleWrite($sMsg & @CRLF)


;----------------------------------------------------------------------------------------
Func _cmd($sCmd)
    Local $Result = '', $iPID = Run(@ComSpec & " /c " & $sCmd, @SystemDir, @SW_HIDE, 8)

    While ProcessExists($iPID)
        $Result &= StdoutRead($iPID)
    WEnd

    Return $Result

EndFunc   ;==>_cmd
;----------------------------------------------------------------------------------------

 

[Nine]

Or you may want to try with WMI :

#RequireAdmin
#include <Constants.au3>
#include <Array.au3>

; https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service

Opt("MustDeclareVars", 1)

CheckService(@ComputerName, "Spooler") ; or replace with name of computer you can remotely access

Func CheckService($sName, $sService)
  Local $oWMIService = ObjGet("winmgmts:\\" & $sName & "\root\CIMV2")
  Local $oItems = $oWMIService.ExecQuery('SELECT * FROM Win32_Service WHERE Name = "' & $sService & '"')
  If Not IsObj($oItems) Then Exit MsgBox($MB_OK, "Error", "Not an object")
  If Not $oItems.count Then Exit MsgBox($MB_OK, "Error", "Service not found")
  Local $aService[$oItems.count][5], $i = 0
  For $oItem In $oItems
    $aService[$i][0] = $oItem.Caption
    $aService[$i][1] = $oItem.Started
    $aService[$i][2] = $oItem.StartMode
    $aService[$i][3] = $oItem.State
    $aService[$i][4] = $oItem.Status
    $i += 1
  Next
  _ArrayDisplay ($aService)
  Local $oService = $oItems.itemIndex(0)
  ;$oService.StopService()
  ;$oService.StartService ()
EndFunc   ;==>_CheckService

 

[rsn]

1 hour ago, Nine said:

  ;$oService.StopService()
  ;$oService.StartService ()

Would these two, uncommented, stop and start the specified service?

[Nine]

1 hour ago, rsn said:

Would these two, uncommented, stop and start the specified service?

Yes, amongst other methods from the object.  See reference I have commented at the beginning of the script.

[rsn]

I thought I was on to something but not so. I'm trying to delete a profile folder but Win32_UserProfile doesn't have a delete method. What I end up doing is using WMIC but it's Microsoft has it deprecated in favor of powershell and I'm too time constrained/lazy to bother with it. 

[Jemboy]

 

@ioa747 @Nine But your exmaples work when I compile them to an executable and run them as administrator.
My own example used earlier used RunAsWait, becaus I wanted people to run the (compiles) script, without giving them a (local) admin account.
The account "admin" is member of the local administrator group on the system.

After Googling the problem in depth, I had a hunch the real local "admistrator" account might work. so I enabled teh administrator account and retried my original
account, and voilà the script is working.

So basically, the user "admin" I was using, though member of "administrators" did not have sufficient rights to be used with Runaswait.
When I run the .exe with right-mouse runas admistrator I, the "admin" accounts does has suffient permissions.

So although both "admin" and "administrator" being member of the local administrators group, the "administrator" user seems to have more rights.

 

I rather not use the build in "administrator" account, is their a way to give another account the same rights ?

[rsn]

@Jemboy The RunAs command will run something as a different user but doesn't attach the elevated token to that user.

#RequireAdmin will add the elevated token the to app and any child processes it spawns. Using RunAs adds some complications if the account isn't admin. Why not use Run or ShellExecute with #RequireAdmin?

[Jemboy]

@rsnThe only reason I am using the Runas is because the user does NOT have administrator rights.

And I rather not give him and the other users administrator rights, because in past giving users local admin rights resulted in users installing software (some times with virus) on their computer and even some times ransomware.

[argumentum]

On 5/12/2024 at 7:46 PM, Jemboy said:

Does anyone has some tips for me ?

Make a server ? ( https://www.autoitscript.com/forum/topic/201673-json-http-post-serverlistener/page/2/#comment-1447447 )
Then with your own API do as you please. The server runs with your full admin rights. That would solve your problem.

 

[rsn]

@Jemboy I see your dilemma. If it's just the spooler service you're looking to hand off control, grab a copy of Process Explorer from Microsoft/SysInternals and you can grant permissions to a specific user to control a specific service. There are other utilities to do the same but ProcExp is pretty simple.

[Jemboy]

@argumentumI was goimg for the client/server option, getting Autoit to start stop the spooler was the part I wanted to run on the "server" part.
I would rather have an second administrator account instead of using the built-in one, however if it's not possible, I'll go with the built-in administrator option :-(
I'll condider your HTTP post server, if I understand correctly, it would eliminate the programming of the client side application by using a browser :-)

@rsnI created an account admin2 and made it member of the local administrators. 
After that I used Process Explorer to change the verified users and administrators group to have full permission.
Did give admin2 also full permission on the spooler services, but still no ball :-(

[argumentum]

1 minute ago, Jemboy said:

..., if I understand correctly, it would eliminate the programming of the client side application by using a browser 🙂

Depends. You can use it as your private API / IPC or, make it a web site. Your imagination is the limit.

[rsn]

@Jemboy The user you created and assigned permissions to control the spooler doesn't have to be in the administrators group. By not being in that group it adds the advantage of not being able to control any other service or admin level processes. And your script wouldn't need #RequireAdmin either. 

I'll run a couple extra tests today just in case I'm talking out of my butt 

I ran some tests. I created a local non-admin user and assigned Full Control to the spooler:

Then ran the following: 

#include <AutoItConstants.au3>
RunAs ( "testuser" , "." , "password" , $RUN_LOGON_NOPROFILE , @ComSpec & " /k sc.exe stop spooler" , "C:\windows\system32" , @SW_SHOWDEFAULT )

And the service stopped  You can use any method you want but I chose SC.exe for simplicity in this example.

Edited May 16 by rsn
Testing and results...

[Jemboy]

@rsnYou are right! Running my test with your tip, I used the wrong working directory. That's why it was failing.
Rerunning the test with your piece of code succesfully, I decided to look at my code and find out that @tempdir was not working in my code
I can now finish my "restart print spooler" tool for my users.
Thanks for your help (and ofcourse all others who pitched in)