« HOWTO: Remotely set a startup dependency for a Windows ServiceHOWTO: Remotely Query Windows Service Information »

HOWTO: Remotely set permissions for a Windows Service

07/14/07

Permalink 09:26:39 pm by guy, Categories: Windows

Recently I had a situation where one of our developers had a Windows Service that he wanted to be able to control (start and stop) using an application. The application was run in a user context so it didn’t have permission to start or stop services. After some research I came up with this procedure. It isn’t something that I do frequently, but it is good to have documented somewhere.

This procedure will allow you to grant a user or group access to start and stop a specific Windows Service using a non-administrative account.

I used this method to allow the “celluser” account access to start and stop the “MyService” service on a remote machine. There are probably various ways to do this, but I used the PSExec tool to remotely copy and execute the SetACL tool and set the permissions.

PSExec is a utility from SysInternals (Now Microsoft)
SetACL is a utility I found on SourceForge

Follow up:

First, we list the current privileges:
Y:\>psexec \\2qds941 -c c:\setacl -on "MyService" -ot srv -actn list

PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

"MyService",2,"DACL(not_protected):NT AUTHORITY\SYSTEM,start_stop,allow,no_inheritance:BUILTIN\Administrators,full,allow,no_inheritance:NT AUTHORITY\Authenticated Users,read,allow,no_inheritance:BUILTIN\Power Users,start_stop,allow,no_inheritance"

SetACL finished successfully.
setacl.exe exited on 2qds941 with error code 0.

Now we grant celluser start and stop access on MyService:
Y:\>psexec \\2qds941 -c c:\setacl -on "MyService" -ot srv -actn ace -ace "n:celluser;p:start_stop"

PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Processing ACL of: MyService

SetACL finished successfully.
setacl.exe exited on 2qds941 with error code 0.

Finally we verify that the changes were successful:
Y:\>psexec \\2qds941 -c c:\setacl -on "MyService" -ot srv -actn list

PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

"MyService",2,"DACL(not_protected):Celluser,start_stop,allow,no_inheritance:NT AUTHORITY\SYSTEM,start_stop,allow,no_inheritance:BUILTIN\Administrators,full,allow,no_inheritance:NT AUTHORITY\Authenticated Users,read,allow,no_inheritance:BUILTIN\Power Users,start_stop,allow,no_inheritance"

SetACL finished successfully.
setacl.exe exited on 2qds941 with error code 0.

Another method would be to use the SC utility that is included with Windows XP, but it is MUCH more cryptic because you need to know about ACEs and the SDDL syntax. Here I show using that utility to just SHOW permissions on the same service:
Y:\>psexec \\2qds941 sc sdshow MyService

PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

D:(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-21-1986275044-885999032-1555891258-2583)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTL
OCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc exited on 2qds941 with error code 0.

I’m sorry if I didn’t explain the parameters of the SetACL.exe command, but I’m posting this from some notes I made a couple months ago. I’m sure a quick SetACL.exe /? will explain all.

May 2017
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
I'm a generalist, at least if I'm honest. In my job I am primarily a developer, but also a sysadmin, and (as little as possible) technical support. I know a little about a lot of things, a lot about some things, and everything about nothing. Here I will post random learnings...

Search

XML Feeds

User tools

multiblog