0

My setup

  • Windows 10
  • Visual Studio 2017
  • Windows SDK 10.0.17763.0

I've checked a few answers similar to mine, such as:

but none of those situations are as bad as mine. The other people's code all request admin permissions such as SC_MANAGER_ALL_ACCESS but my code only asks for GENERIC_EXECUTE, which seems perfectly normal for a regular user account:

SC_HANDLE hSC = ::OpenSCManager(NULL,
        NULL, GENERIC_EXECUTE);
    if (hSC == NULL) {
        error("Error opening SCManager {}. Aborted.", GetLastError());
        return Mam_ErrorWindowsAppleDeviceServiceInit;
    }

Now this call always fails, and GetLassError() gives: ERROR_ACCESS_DENIED (0x5).

I tried to open Visual Studio as Admin, then the above call passes.

The above code worked a week ago. There might be a Windows10 update behind my back that I don't know of, but could this simply be a change in Windows security policy?

kakyo
  • 10,460
  • 14
  • 76
  • 140
  • Does it work now with SC_MANAGER_ALL_ACCESS ? If yes then probably this is due to some updates pushed as part of May 2019 update which are around Windows Hello and support for YubiKey through the smart card interface.. just my take away.. – Soumen Mukherjee Sep 16 '19 at 14:07
  • are you need call `LockServiceDatabase` ? for what you ask for `GENERIC_EXECUTE` ? – RbMm Sep 16 '19 at 14:15
  • @RbMm Thanks for the tip. Very good question. I need to verify but seems my app won't need to "Start" the service before opening it, which is to happen right after `OpenSCManager`. So I could try tweaking the privilege. – kakyo Sep 16 '19 at 23:13
  • @SoumenMukherjee By `does it work with SC_MANAGER_ALL_ACCESS `, do you mean as Admin or regular user? – kakyo Sep 16 '19 at 23:14

1 Answers1

0

Thanks to @SoumenMukherjee's and @RbMm's tips. I found that LocalSystem privilege that the service I was about to open demands that

  • SC_MANAGER_LOCK
  • SERVICE_START
  • SERVICE_STOP

should be used as Admin.

If this hasn't changed for a while on the Windows side, then the code I recently inherited maybe never worked as expected before. Now, basically the user has to start the service or grant proper Admin privileges to the app during installation or at run time.

However, I don't really need SC_MANAGER_LOCK, so replacing GENERIC_EXECUTE with STANDARD_RIGHTS_EXECUTE | SC_MANAGER_CONNECT fixed the issue.

These resources helped.

kakyo
  • 10,460
  • 14
  • 76
  • 140