1.38 Running TVService as "NT Service\TVService" or "Local Service" not working anymore since Windows September 2025 updates (1 Viewer)

[Andy_2639]

I used to run the TVService under the "NT Service\TVService" account to follow least privileges principal (not exposing my whole system in case there's a security bug in the tv server). That worked fine until I installed the 2025-09 Windows updates 2 weeks ago.

From that on, I need to run the TVService as "Local System" which means the tv server can just do everything. I also tried running it as "Local Service" but that doesn't work the same way "NT Service\TVService" doesn't work.

Running at "NT Service\TVService" or "Local Service", it looks like the tv server is unable to correctly talk with my TV card. It has an LED which shows activity. This LED just lights up a short time (so, some communication is happening) but then immediately turns out.
With "Local System", watching, recording TV and channel scan just works.

I verified this with my HTPC and PCTV 461e TV card. On this system, I also checked with a Digital Devices Cine S2 V7 Advanced.
I could reproduce it on a Laptop with the PCTV 461e TV card, too.
OS: Windows 11 Pro 24H2 x64 Build 26100.6584.

With the Digital Devices Cine S2 V7 Advanced, the DD Control Center didn't even show that the card is used. When the tuner is tuned, the control center normally shows some details like frequency and reception strength.

I attached the debug logs when running under "NT Service\TVService" and trying to watch a channel; IP addresses, names of recordings and computer names masked.

One think I think I noticed: When running the TVService as "Local System", watch a program and then stop the service and start it again running as "NT Service\TVService", it might work for some time - but definitely doesn't survive a reboot.

 

[2BitSculptor]

The update had trashed my network where I couldn't read folders on any of my network share drives; My TV Server EPG could be read, but the Time Shift folder files could not be played, and Recorded TV listed programs that would not play. The update asked for network certifications that wouldn't resolve. I deleted the update and set my PCs to delay updates. My wife's PC still cannot connect to the network printer because of errors in trying to delete the update. It appears to be an issue effecting thousands of networked PCs. Waiting for MS to fix.

 

[Andy_2639]

I can't connect the problem to networking. It appeared over network (with RTSP) as well as with a single-seat setup.

Your SMB problems might be connected to SMB/NTLM hardening that Microsoft is currently doing. SMB version 1 shall die and AFAIK MS is automatically deinstalling it. Also replay-attack protection for NTLM is going to be enforced step-by-step IIRC.

I'm most probably not affected by this because I already enabled some mitigation via Group Policies/Registry. Be aware that these settings are rather strict and need some deviations on client/server to allow SMB/RDP communication (especially ClientAllowedNTLMServers/RestrictSendingNTLMTraffic and RestrictReceivingNTLMTraffic - that's what I have to change in my network with just Windows 11 computers). I intend this more as a starting point for research which setting might cause your network to break.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
;"ClientAllowedNTLMServers"=hex(7):
"RestrictSendingNTLMTraffic"=dword:00000002
; https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
"RestrictReceivingNTLMTraffic"=dword:00000002
;"RestrictReceivingNTLMTraffic"=dword:00000001

; SMB hardening
; https://support.microsoft.com/en-us/help/2345886/description-of-the-update-that-implements-extended-protection-for-auth
; Client
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"SuppressExtendedProtection"=dword:00000000
; Server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]
;"SmbServerNameHardeningLevel"=dword:00000001
"SmbServerNameHardeningLevel"=dword:00000002
;"SrvAllowedServerNames"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0]
"ExtendedProtection"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"NoLmHash"=dword:00000001
; https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-1-%e2%80%93-disabling-ntlmv1/3934787
"LmCompatibilityLevel"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]
"AutoShareWks"=dword:00000000
"EnablePlainTextPassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"EnablePlainTextPassword"=dword:00000000
"EnableSecuritySignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
"AllowInsecureGuestAuth"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
; https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a
"LDAPServerIntegrity"=dword:00000002
"LdapEnforceChannelBinding"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap]
"ldapclientconfidentiality"=dword:00000002
; https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-3-%E2%80%93-enforcing-ldap-signing/4066233
; https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements
"ldapclientintegrity"=dword:00000002

 

[2BitSculptor]

Reading through your code, I can see it's more than a couple steps above my paygrade.