I am creating an installer that need to stop and then start a service named "MyService".
The installer is always run as admin, But some times the user of admin group does not have a permission to start and/or stop the service.
In this case I will get access denied when I try to start the service.
I want to check prior to start/stop service that if the user have permission to do so.
Found that using
sc sdshow myservice
This shows the security descriptor and I can GET the SID and access level.
From this finding out access, turned out to be difficult. That it can so have that a group that this user is member of is turned to have no access to start/stop service.
Finding the list of group of a user that he belongs to, I did not get any direct method.
Is there any way to find if the user (I have user name and SID) has permission to start/stop service Myservice?
If not any direct method to get list of groups that the user is member of?
Related
I was installing the filebeat application and I noticed that I needed to run powershell as administrator in order to install them. When I checked the service using wmic service get name,startname,status it showed Local System. I'm wondering what this account is as this is neither the user account or the administrator account. Will this always be the case when I install services as administrator? What is the difference if I install it as a normal user and as administrator?
In any case, I've set this service to start automatically when windows start. Would this service start only when the user I used to install it logs in or will it start regardless of which user logs in?
OK, let's unpack that one by one, in no particular order:
Only a user with administrator rights can install a service.
Services that are configured to start automatically are started as soon as Windows is up and running; Windows does not wait until somebody logs in. It makes no difference to the service who the logged-on user is, or whether anybody is logged in at all, unless the service application itself has been explicitly programmed to check.
The program that installs the service decides what account the service uses to run. Windows doesn't care what user account was used to install the service, it doesn't even keep track.
If the program that installs the service wants it to use an ordinary user account, it must know the password for that account. There are various special accounts that a service can run in, these accounts do not require a password. One of these special accounts is Local System.
Local System is the highest-privilege service account in Windows; it has all the same rights as an administrator, and can do things an administrator can't. Local System is also the account that the user-mode part of Windows itself runs in, roughly equivalent to the UNIX root account except that it doesn't have a password.
Additional notes, for completeness:
One alternative to Local System is for the service to run as Local Service or as Network Service, which are non-administrative service accounts. The only difference between the two is that if the computer is joined to an Active Directory domain, the Network Service account has network access to other machines in the domain and the Local Service account does not.
It is also possible to configure a service to run in a special service account that is unique to that particular service. This is mostly useful if you want the service to have access to a particular file or folder, but do not want to give it administrator rights.
Nitpickers corner:
It is I believe technically possible to reconfigure Windows to allow non-administrators to install services, but this is not supported and would be a Very Bad Idea. If you did, though, it would still make no difference who installed the service. Windows doesn't record this information.
A service, which I'm developing, needs to call ChangeServiceConfig2 to change its configuration parameters. The function requires a service handle. So, to get its handle, the service calls OpenSCManager, which succeeded, and later OpenService. In the parameter lpServiceName of OpenService function I specify the name of the service but I got "Access denied". I changed the access rights in the manifest file to "requireAdministrator" but still got the error.
In general, how could a Windows service get its handle?
When creating the service, the lpServiceStartName argument determines the security context that the service will run in.
From the documentation for CreateService:
If this parameter is NULL, CreateService uses the LocalSystem account.
So in order for your service to run with administrator privilege, you need to specify NULL instead of an account name. According to the comments, you are currently running as Local Service; this does not grant administrator privileges.
I'm writing a Windows Service that occasionally queries data in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles, to detect if the system has changed network (e.g. it's a laptop and they connect to a new Wifi Hotspot).
The Service must run as a LocalService account, so has no administration privileges, however the read permissions on this particular key and its subkeys are for Administrators ony, so the LocalService account is not able to read them.
I'd like to manually add read permissions for my Service to the key, but ONLY for that one Service. I could grant the "Local Service" account read privileges, but this would allow all LocalService Services to read the key, which I do not want. Is there any way of doing this, maybe creating a user account for a single application?
Vista added Service Isolation and it can assign a service SID to the process. You can then add this SID to the ACL of the registry key.
I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm
How do I get Topshelf to run as a specific domain user account? I have in the configuration
x.RunAs("domain\username", "password");
I have in the code a console statement that prints out the Windows Identity that the process is running under. It is not the one I specified.
The code snip-it you indicated is the correct method to apply a user. A couple of things apply to this...
This only works for windows services, if you run it as a console app it will still run as you
All shelved processes run as the host user, so shelves will ignore any user settings
You can double check the user the service is registered to run as by going into services in mmc, find your service, goto the properties panel, and there's a Log On tab which will display the user the service is to run under.
If you are just running as a console app, just servicename install start and it should be running as the user it's been setup for.
If this doesn't help, reach out on the mailing list http://groups.google.com/group/topshelf-discuss.