Service running as [user] rather than [system]

[Sims]

Hi,

I have a service that need to access the current user registry from time to
time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims

 

[Jagadeesh]

You can always start a service as a particular user. Just goto services,
select your service and take the properties, there you can see a LogOn tab,
and choose Log on as "This account" option, and give the user name, passwd.

 

[Sims]

You can always start a service as a particular user. Just goto services,
select your service and take the properties, there you can see a LogOn tab,
and choose Log on as "This account" option, and give the user name, passwd.

Thanks,

But how can i do that programmatically?
When i install the service i don't see an option to install it as 'This
account' rather.
I can do it manually but i want the install procedure to do it itself.

Sims

 

[David]

Thanks,

But how can i do that programmatically?
When i install the service i don't see an option to install it as 'This
account' rather.
I can do it manually but i want the install procedure to do it itself.

Sims

Sims,

Recheck the CreateService call. There are two fields that are pointers
to the Account UserID and Password to run under. If these fields are
passed in as NULL, the SYSTEM Account is used. That is how you can
set up for a specific user. You can also change this later if need be.

An alternate method is to change the SID to get access of a specific
user. I've not figured all that out yet so I can't point you to a
source. That would be used when your service needs to work under
several different accounts at the same time.

Good luck,

David

 

[Sims]

Recheck the CreateService call. There are two fields that are pointers
to the Account UserID and Password to run under. If these fields are
passed in as NULL, the SYSTEM Account is used. That is how you can
set up for a specific user. You can also change this later if need be.

An alternate method is to change the SID to get access of a specific
user. I've not figured all that out yet so I can't point you to a
source. That would be used when your service needs to work under
several different accounts at the same time.

Hi,

Thanks David and Tom for the replies.
The problem is that the user runs the install program. During the install i
instruct the service to be installed but i do not know the user password and
user name.
If i could retrieve it during install then it would be great, but i cannot.

Even if i had a 'runonce' option to install the service per user i still
would not be able to get the user name and password.
My install program cannot retrieve the user name and password.

Sims.

 

[Sims]

I have a service that need to access the current user registry from time to
time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims

Hi again,

Further to my posts...
Is there anyway that the [system] service could launch an application as the
current user?

Sims

 

[Tim]

Sims,

Just do what many other installs do: prompt the user appropriately for the
username and password for the user under which it is to run the service. If
you are running XP or later you can use the CredUIPromptForCredentials API
to validate the information give (invisibly of course - check the dwFlags).
Either that or you can go ahead and create the service and try starting it
check the return code...

SQL Server install does this as do many others. There is no way I know of to
bypass such a mechanism - even windows itself can do this during its own
install.

When the username / password is stored by CreateService, it is stored using
a "LSA Secret". This is information stored in a particular place in the
registry using reversable encryption and keys the system know but in this
case you don't - it is "safe".

- Tim

I have a service that need to access the current user registry from time to
time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims

Hi again,

Further to my posts...
Is there anyway that the [system] service could launch an application as the
current user?

Sims

 

[Willy Denoyette [MVP]]

Further to my posts...
Is there anyway that the [system] service could launch an application as
the
current user?

Sims

There is no need to do so, just create a new logon session by calling
Win32's API "LogonUser" and use the token obtained to impersonate.

Search the KB, it contains articles an samples on how to call LogonUser from
..NET.

Willy.

 

[Roy Fine]

Sims,

It is not a good practice to access HKEY_CURRENT_USER from a service - what
happens if that user no longer has a local profile on the machine.
Additionally, the term "current user" does not always make sense for a
service - what happens if no user is logged on...

If you need to access the registry from the service, consider using
HKEY_LOCAL_MACHINE instead.

regards
roy fine

 

[Sims]

It is not a good practice to access HKEY_CURRENT_USER from a service - what
happens if that user no longer has a local profile on the machine.
Additionally, the term "current user" does not always make sense for a
service - what happens if no user is logged on...

If you need to access the registry from the service, consider using
HKEY_LOCAL_MACHINE instead.

Didn't think of that, i will look at it.
Thanks

 

[Klaus H. Probst]

Unless you have a very specific requirement, use HKEY_LOCAL_MACHINE instead.

One of the ideas behind running a process under the SYSTEM account is that
it cannot do these types of things.

 

[Sims]

Unless you have a very specific requirement, use HKEY_LOCAL_MACHINE instead.

One of the ideas behind running a process under the SYSTEM account is that
it cannot do these types of things.

I agree, but my problem goes all the way back to installation.
The users cannot install the service, (they cannot install anything in
fact), only the administrator can, so what i wanted to do was to run the
install as an administrator and ensure that the service gets started as
current user.
Maybe if i use HKEY_LOCAL_MACHINE it will solve the problem to a certain
level.

That should apply to future users.
Maybe my problem is more to do with installations rather than services
themselves.

For example when i installed MS Word it was installed for all users, (new
and old).

Sims

 

[Alexander Grigoriev]

A service can spawn a process with a currently logged on user credentials
(if that's what you want), without need to know those credentials.

To start a _service_ with user's credentials, the user also should have
"Logon as service" privilege, which you may not want to allow.

 

[Sims]

A service can spawn a process with a currently logged on user credentials
(if that's what you want), without need to know those credentials.

How would you do that then?

To start a _service_ with user's credentials, the user also should have
"Logon as service" privilege, which you may not want to allow.

Indeed.

Idealy the service would sprawn a process with the currently logged in user.

Thanks
Sims

 

[Alexander Grigoriev]

You need to get a token for a currently logged on user. Then call
CreateProcessAsUser
To get a token you may need to open the current window station in the
current terminal session, and quite a few more steps. I don't remember all
of that.

 

[Klaus H. Probst]

I agree, but my problem goes all the way back to installation.
The users cannot install the service, (they cannot install anything in
fact), only the administrator can, so what i wanted to do was to run the
install as an administrator and ensure that the service gets started as
current user.

OK. But this is a separate problem - why not use MSI? It has built-in
support for that kind of thing. That's how you can install Office on a box
without requiring the user to be an admin.