Fix 'System error 5: Access is denied' When Starting or Stopping a Windows Service

The Scenario

It's 2 AM. A service crashed on your Windows server. You open CMD, type the usual:

net stop MyService
net start MyService

And you get slapped with:

System error 5 has occurred.
Access is denied.

Or maybe you tried sc:

sc stop MyService
[SC] OpenService FAILED 5:
Access is denied.

Same wall. The service is still down, your incident is still open, and the clock is ticking.

Why This Happens

Error 5 is Windows' way of saying the process calling the Service Control Manager (SCM) doesn't have sufficient privileges. Two things trigger this:

• You're running CMD as a normal user — even if your account is in the Administrators group, UAC strips the admin token by default. You're effectively a standard user until you explicitly elevate.
• The service has locked-down permissions — some services (antivirus, EDR agents, Windows Defender) explicitly block start/stop for everyone except SYSTEM or a specific service account.

Nine times out of ten it's the first one. You opened CMD from the Start menu or a desktop shortcut, no right-click involved.

Quick Fix: Elevated CMD

Handles 90% of cases. Takes about 10 seconds.

Option 1 — Right-click elevation

• Press Win, type cmd
• Right-click Command Prompt → Run as administrator
• Accept the UAC prompt
• Retry your command:

net stop MyService
net start MyService

The title bar will read "Administrator: Command Prompt" — that's your confirmation you're elevated.

Option 2 — PowerShell one-liner (no GUI needed)

Already stuck in a non-elevated terminal? Spawn an elevated CMD from there:

Start-Process cmd -Verb RunAs -ArgumentList '/k sc stop MyService'

To stop and restart in one shot:

Start-Process cmd -Verb RunAs -ArgumentList '/k net stop MyService && net start MyService'

Option 3 — Native PowerShell cmdlets

Stop-Service -Name "MyService" -Force
Start-Service -Name "MyService"

Stop-Service and Start-Service hit the same SCM under the hood. The advantage: error messages are human-readable instead of cryptic exit codes.

Verify the Fix Worked

sc query MyService

Look for STATE : 4 RUNNING in the output. Prefer PowerShell? Run this instead:

Get-Service -Name "MyService" | Select-Object Name, Status

Expected output:

Name       Status
----       ------
MyService  Running

Still Getting Error 5 Even as Administrator?

Double-check the title bar says "Administrator: Command Prompt". If it does and you're still hitting error 5, the service itself has a restrictive security descriptor — your admin token isn't enough.

Check current service permissions

sc sdshow MyService

You'll get a raw SDDL string like D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA).... Two things to look for: RP (start permission) and WP (stop permission). If neither appears next to BA (Built-in Administrators), that's your problem.

Grant Administrators full control over the service

Use sc sdset to overwrite the descriptor. This is the standard full-control SDDL for Administrators — safe for most non-critical services:

sc sdset MyService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"

What the key tokens mean:

• BA — Built-in Administrators
• CCDCLCSWRPWPDTLOCRSDRCWDWO — Full control: start, stop, pause, configure, delete
• SY — Local System account
• IU / SU — Interactive and Service users (read-only access)

Retry net stop MyService after running this. It should go through clean.

Permanent Fix: Stop Burning Yourself Repeatedly

If your deployment scripts or automation keep hitting this error, the real fix is baking elevation into them — not remembering to right-click every time.

For scheduled tasks

Open Task Scheduler, find the task, then:

• Right-click → Properties
• Check Run with highest privileges
• Under "Security options", confirm the account is an Administrator

For deployment scripts (batch files)

Drop this auto-elevation block at the top of your .bat file. It re-launches itself with admin rights if it detects it's not elevated:

@echo off
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo Requesting admin privileges...
    powershell -Command "Start-Process '%~f0' -Verb RunAs"
    exit /b
)

net stop MyService
net start MyService

For PowerShell scripts

#Requires -RunAsAdministrator

Restart-Service -Name "MyService" -Force
Write-Host "Service restarted successfully."

The #Requires -RunAsAdministrator directive is underused and underappreciated. PowerShell will refuse to run the script at all if it's not elevated — you get a clear "must run as Administrator" message at the top instead of a confusing access denied halfway through execution.

Remote Services: A Different Beast

Managing services on another machine via sc \\servername and still hitting error 5? Local elevation isn't enough here.

sc \\remoteserver query MyService
[SC] OpenSCManager FAILED 5:
Access is denied.

Three ways to fix remote access:

• Add your domain account to the local Administrators group on the remote machine (most reliable)
• Use runas /user:remoteserver\Administrator sc \\remoteserver stop MyService to supply explicit credentials
• Use PowerShell remoting for cleaner credential handling: Invoke-Command -ComputerName remoteserver -ScriptBlock { Restart-Service MyService } -Credential (Get-Credential)

Summary

• 90% of cases: reopen CMD as Administrator, retry the command
• Confirm with sc query MyService → look for STATE : 4 RUNNING
• Still failing elevated: fix the service DACL with sc sdset
• Automation: add auto-elevation to batch files or #Requires -RunAsAdministrator to PowerShell scripts
• Remote machines: your account needs to be in local Admins on the target, not just your own box