1

I'm working on an application that manages services that make up some product. Up to now, it was foreseen that this application was started with elevation (so the user had to confirm a UAC prompt). It appeared that for most operations, elevation was not needed, like starting an stopping services.

The application normally will be run by a member of the local Administrators group; these people can start services.msc, and they can then start and stop services. So I expected it to "just work":

ServiceController sc = new ServiceController(Environment.MachineName, "MyServiceApp");
sc.Start();

It fails with an "access denied" exception. So I added 

ServiceControllerPermission scp = 
    new ServiceControllerPermission(ServiceControllerPermissionAccess.Control, Environment.MachineName, "MyServiceApp");
scp.Demand();
ServiceController sc = new ServiceController(Environment.MachineName, "MyServiceApp");
sc.Start();

The Demand succeeds, the Start still fails.

I read a lot of questions (and answers) on issues with ServiceController and security on StackExchange; a lot of the answers suggest elevation is needed. Since I (I am member of the local Administrators group) can just start and stop using services.msc, just don't buy it.

So what's up with services.msc - and what's up with my code ? I do have UAC enabled and I don't want to disable it. To start or stop a service, no elevation is needed, right ? Otherwise services.msc would need elevation too ? (a colleague of mine suggested services.msc contained some 'special code' that 'made it work'; I don't buy that either).

Thanks for any answers.

user3110963
  • 33
  • 5

1 Answers1

0

Services.msc (the mmc.exe) is not necessarily running with elevated/administrative privileges.

You can make some "special code" that asks Windows to run your program run as elevated. You'll use a manifest file.

How do I force my .NET application to run as administrator? https://stackoverflow.com/a/4084620/787893

Community
  • 1
  • 1
agent-j
  • 27,335
  • 5
  • 52
  • 79
  • I have UAC enabled. I do not need to confirm elavation for running services.msc. How then does it get elevation ? A manifest does not grant it, it just specifies it needs it. My manifest currently states "AsInvoker" - I don't want to run elevated. I accept not getting the right to start the service, but I know I have it, without elevation, by starting services.msc. – user3110963 Dec 17 '13 at 12:15
  • I haven't looked at the the services.msc MMC specifically, but some apps, like taskmgr.exe will run normally, and then launch another instance elevated. – agent-j Dec 17 '13 at 19:39
  • 1
    Found this article: http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx#id0560031 -> so, yes, you are right, it is in the manifest, specifying "autoelevation", which works only for executables which have a specific digital signature. – user3110963 Dec 20 '13 at 08:51