Hi David,
..Net Windows Service encapsulates the Win32 Windows Service API to implement
the architecture.
As MSDN documented said, Installutil.exe uses reflection to inspect the
specified assembly and find all Installer types with the
RunInstallerAttribute set to true. The tool then executes either the Install
Method or the Uninstall Method on each instance of the Installer type.
In the .Net Windows Service project, the ServiceInstaller class inherits
from the Installer type and overrides the "Install" method. So the
Installutil.exe actuallys calls ServiceInstaller.Install() method. If you
are using Reflector to view the ServiceInstaller.Install() source code, you
will see that it internally calls OpenSCManager win32 API to obtain the SCM
handle, then uses CreateService win32 API to install the service
configuration information to the SCM database. Yes, all the things are
controlled by these 2 win32 APIs.
There are 2 types of security regarding the Windows Service: the access
rights for the SCM(install service) and the access rights for service
object(start/stop service). We are concerning the first SCM security.
When calling OpenSCManager, .Net Framework passed "0xf003f" as the
"dwDesiredAccess" 3rd parameter. The SCM and service object security/access
rights is documented in the official document below:
"Service Security and Access Rights"
http://windowssdk.msdn.microsoft.com/en-us/library/ms685981.aspx
Yes, the 3rd parameter value "0xf003f" maps to SC_MANAGER_ALL_ACCESS
(0xF003F) access right, which means that the code wanted to obtain all the
operation rights to the SCM. If you search "SC_MANAGER_ALL_ACCESS" in the
same page, you will find that the table of which accounts are granted which
access rights. In the table, you can see that only "Administrators" group is
assigned SC_MANAGER_ALL_ACCESS access right. Also, there is a statement in
above link to confirm our findings , "Only processes with Administrator
privileges are able to open handles to the SCM that can be used by the
CreateService and LockServiceDatabase functions.", so only administrator can
use ServiceInstaller to install the service by default.
So the conclusion is that Installutil.exe can only be used by
Administrators.
Actually, this design in Windows makes sense. It is the result of security
consideration. Windows Service normally runs under a high privilege account,
if a normal account can install an unknown service, it is easy for the
malicious user to elevate his privilege. For example, he can use
installutil.exe to install a hack service which runs under Local Service
account. Then, when the service runs the entire machine will be controlled
by the hacker with normal user account. This is really a security hole. So
Windows only allows Administrators to install a service.
If you really wanted to change the default behavior and allow normal user to
install service, you have to change the SCM security setting with an
Administrator account. As the above link said, to get or set the security
descriptor for the SCM, use the QueryServiceObjectSecurity and
SetServiceObjectSecurity functions with a handle to the SCManager object. So
you have to p/invoke the DACL Win32 API to complete this task. The following
KB article provided a sample code snippet of granting the Guest account
start, stop, delete and READ_CONTROL access to the specified Service, the
same logic applies to the SCM security modification, you have to pass the
SCManager object instead of the service object:
http://support.microsoft.com/?kbid=180116
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support Engineer
within 1 business day is acceptable. Please note that each follow up
response may take approximately 2 business days as the support professional
working with you may need further investigation to reach the most efficient
resolution. The offering is not appropriate for situations that require
urgent, real-time or phone-based interactions or complex project analysis
and dump analysis issues. Issues of this nature are best handled working
with a dedicated Microsoft Support Engineer by contacting Microsoft Customer
Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
