I have a UAC-enabled Server 2008 R2 machine with Splunk splunk-4.1.7-95063-x64-release installed.

I am using a low-privilege (just the minimum listed in the docs, http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindows#Choosing_the_user_Splu...).

This seems fine for splunkd, it can run, open port 8089, and appears to be indexing.

The splunkweb service never opens a port and seems to generate these errors every time it starts. Apparently it wants to query the Service Control Manager.

When I run the service interactively I get a UAC prompt.

Log Name: Security Source:
Microsoft-Windows-Security-Auditing Event ID: 4656 Task Category: Other Object Access Events Level:
Information Keywords: Audit Failure Description: A handle to an object was requested.

Subject: Security ID: xxx\service-splunk Account Name: service-splunk Account Domain: xxx Logon ID: 0x15cb85

Object: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: 0x0

Process Information: Process ID: 0x204 Process Name: C:\Windows\System32\services.exe

Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Connect to service controller Create a new service Enumerate services Lock service database for exclusive access Query service database lock state Set last-known-good state of service database Access Reasons: - Access Mask: 0xf003f Privileges Used for Access Check: - Restricted SID Count: 0