I have a service application that supports both start as service and interactive mode. The service I register is executed as the NetworkService user; the interactive mode is running as a computer administrator (normal users have no access to the program).
Now, some resources (e.g. files) are only available to the user NetworkService. Can I somehow tell the program to run the code as NetworkService, even if started by an administrator?
Now, some resources (e.g. files) are only available to the user NetworkService. Can I somehow tell the program to run the code as NetworkService, even if started by an administrator?
NetworkService is a low privilege account. Administrator is a high privilege one. Having a situation where files are available to NS but not do admin is somewhat unusual. While is true that an admin has the right to impersonate most accounts (WindowsIdentity.Impersonate(), see Hans link for NS impersonate issues), I would revisit the situation and make sure this is actually necessary. It is much more likely that the files in question can, and should, be ACL-ed differently so that both NS and Local Administrators have access to the file.
Also consider splitting the application into a service component, always running as service, and a UI component that the administrator can invoke. Have the UI communicate with the service over some protocol, eg. via LRPC or shared memory of even HTTP.
In general you can change permission for file if you have Administrator rights.
Or start code as NetworkService account with help PsExec.exe like described here