1

I have a windows service that works fine with my application on the admin user, once I log into a non-admin user I need this user to be able to start,stop, and check the status of the service. I have used advapi32.dll library to be able to do this, but using this I am required to have the name of the users and the name of the service, so I would have to run this program every time a new user is added. I need a way to allow the service to communicate to all users, even newer users created after the service has been installed.

I have been trying to figure it out a way to do this by using Installshield service settings during installation. There is one field that you can create permissions, the only problem is that this is done using SDDL and it looks like this: O:<[%USERDOMAIN]>G:BAD:(D;OICI;GA;;;BG)(A;OICI;GRGWGX;;;<[%USERDOMAIN]>)(A;OICI;GA;;;BA)S:ARAI(AU;SAFA;FA;;;WD)

Does anybody knows a method to do this or can guide me through the SDDL if this is posible?

Thanks

user3614070
  • 131
  • 2
  • 11
  • Already asked and answered here: http://stackoverflow.com/q/8379697/886887 – Harry Johnston Nov 06 '14 at 01:18
  • Also, the meaning of the SDDL string for the default service security descriptor: http://stackoverflow.com/a/26767296/886887 – Harry Johnston Nov 06 '14 at 01:19
  • 1
    The key point being that the ACL doesn't need to specify each individual user, the [SID string component](http://msdn.microsoft.com/en-us/library/windows/desktop/aa379602%28v=vs.85%29.aspx) can represent a well-known SID, in this case probably "IU" for the "interactively logged on user" SID, or "AU" if you happen to want non-admin users to be able to control the service over the network. – Harry Johnston Nov 06 '14 at 01:31
  • I was able to do this by using InstallShield. I changed the SDDL in the service's properties parameter from: "O:<[%USERDOMAIN]>G:BAD:(D;OICI;GA;;;BG)(A;OICI;GRGWGX;;;<[%USERDOMAIN]>)(A;OICI;GA;;;BA)S:ARAI(AU;SAFA;FA;;;WD)" to "O:<[%USERDOMAIN]>G:BAD:(A;OICI;GA;;;WD)(A;OICI;GRGWGX;;;<[%USERDOMAIN]>)(A;OICI;GA;;;WD)S:ARAI(AU;SAFA;FA;;;WD)". Basically just changing BG to WD, which means changing "Build-in Guests" to "Everyone". Therefore now every user even with no admin rights can access the service. Thanks Harry for your replies those were very helpful too – user3614070 Nov 06 '14 at 01:36
  • 1
    I really have no idea what "Builtin Guests" could have been doing there in the first place. Giving guest accounts administrator rights over your service makes no sense at all. – Harry Johnston Nov 06 '14 at 03:52

0 Answers0