none
w32tm /query /status returns access denied

    问题

  • I manage a lot of boxes remotely and I've noticed an issue with a few machines where the ntp sync is not working correctly. They're all non-domain joined and all running win7.

    What I have noticed is that executing w32tm /query /status returns Access Denied when executed from an elevated prompt by the admin account on the box. 

    If I execute w32tm /unregister, the whole registry branch under currentcontrolset/services is removed, so it has access to the registry branch. I can reregister the service and it starts ok. What I can't do is either query the config or status. Each returns access denied.

    Anyone have any ideas as to what this may be? DCs are not involved. The account used can elevate privs and I can unreg/reg the service. Procmon doesn't indicate failure to access any resources, but I consistently get access denied on these boxes.

    2018年7月5日 16:02

全部回复

  • Hi,

    If its not working with domain admin account then it can be issue with the virus/worm/malware. I have seen this issue in the past & it was due to infection in the system. The other angle is verifying windows in built firewall service might be the cause, try to disable it temporarily & see if it works. Verify the registry permission or use procmon to scan the permission on the registry.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年7月6日 2:55
    版主
  • The machine affected is a locked down POS machine in a shop. No admin access, no usb, no DVD, etc, so infection, while not impossible, is unlikely.

    I was on the box using Procexp/procmon for quite some time diagnosing this and didn't notice anything else strange.

    Whats odd is that, if I run procmon while running w32tm, it doesn't show any denied access to the registry. Unfortunately w32tm doesn't indicate *what* it has been denied access to.

    I haven't tried disabling the FW as it only filters inbound, but I can give it a try.

    2018年7月11日 12:18