Starting Windows Services from Applications without Administrator Privileges

Many scenarios involve starting or stopping Windows services from separate applications. However, this may seem restricted for non-administrator users due to security concerns. How can we overcome this limitation and empower users with granular control over service management without compromising system stability?

The Solution: Modifying Service Permissions

The key to this issue lies in modifying the permissions of the service object. By granting appropriate rights to non-administrative users, we can allow them to interact with services in a controlled manner.

The following code snippet demonstrates how to set the security descriptor for a service to include the required permissions:

wchar_t sddl[] = L"D:"
  L"(A;;CCLCSWRPWPDTLOCRRC;;;SY)"           
  L"(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)"   
  L"(A;;CCLCSWLOCRRC;;;AU)"                 
  L"(A;;CCLCSWRPWPDTLOCRRC;;;PU)"           
  L"(A;;RP;;;IU)"                         
;

PSECURITY_DESCRIPTOR sd;

if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl, SDDL_REVISION_1, &sd, NULL))
{
   fail();
}

if (!SetServiceObjectSecurity(service, DACL_SECURITY_INFORMATION, sd))
{
   fail();
}

This specific security descriptor grants the following permissions:

• Default permissions for local system: Grants full control to the local system account.
• Default permissions for administrators: Grants access for administrators.
• Default permissions for authenticated users: Grants limited access for all authenticated users.
• Default permissions for power users: Grants full control for power users.
• Added permission for interactive users: Grants permission to start the service for interactive users.

The security descriptor string (SDDL) can be customized to add or remove specific permissions based on the desired level of access for various user groups. For instance, if you want non-admin users to be able to stop the service, the following SDDL can be used:

L"(A;;RPWP;;;IU)" 

This would add the WP (WRITE_PROPERTY) right, allowing interactive users to both start and stop the service.

By carefully setting the permissions, non-administrator users can perform essential service management tasks without compromising system security.