7

How to start and stop window service without having admin privileges?

My application launch should start my service same way it has to stop once it is closed. I can do this using "Service Controller "

I can install the service with Admin privilege but for starting and stopping the service should not ask admin privileges.

Can anybody tell me how I can achieve this using c#?

Vinay MS
  • 550
  • 3
  • 6
  • 21
  • 4
    possible duplicate of http://stackoverflow.com/questions/4436558/start-stop-a-windows-service-from-a-non-administrator-user-account – Adam Jun 01 '12 at 12:52
  • what service you are trying to start and stop. which os you are using – Romil Kumar Jain Jun 01 '12 at 12:53
  • 1
    You solve it by granting suitable permissions, as per: the answer in Adam's link. You don't solve it through C# (unless you want to write a tool, but since `sc` already exists, why bother?). – Damien_The_Unbeliever Jun 01 '12 at 14:34
  • @Damien_The_Unbeliever:This SC is not doing as expected for me..Need to launch the cmd prompt with admin privilege..more over guest account doesn't option to start or stop.. – Vinay MS Jun 04 '12 at 11:30

1 Answers1

3

I have discovered the way to give a permission to start/stop the service for non admin users. We can provide a group policy for our service so this can be start/stop without administrator privilege. I found two approach to achieve this task.

Approach 1 :

  1. Create the console from “mmc.exe”
  2. Created the blank security template
  3. Created a security database to store the policy information
  4. Change the service permission to the user which we want to give a permission
  5. Applied new security permission ( I referred this blog)

This approach works perfectly fine, I have created two non admin user account in one virtual machine and set the permission from admin account, I could able to start and stop the service from both non admin user accounts. However this approach was not a complete solution for the problem, It involves lot of manual steps. So I start looking automate this process. Result of that I found the approach 2

Approach 2 : Grant the permission using “Subinacl.exe”, SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

I followed the same example of create two non admin user account and execute command SUBINACL /SERVICE \DomainName\MyService /GRANT=DomainName\USERS=TOP so this will grant the user to start/stop the service.

Vinay MS
  • 550
  • 3
  • 6
  • 21
  • Just keep in mind that there is a reason this permission is not granted to regular users by default. You may be opening security vulnerabilities within your network. – JDB Jun 05 '12 at 17:27