Thursday, October 01, 2009

Windows - Fooling around with Services

Creating A Service.
DON'Ts
  1. Once a service has been installed, do not change the path of the executable (*.exe, *.dll, etc.) that the service is running. This is because in registry, the path of the executable is "hardcoded". Eg. C:\Folder\ServiceApp.exe. To view this, Run > regedit for the Registry Editor. \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[ServiceName]\ImagePath

Running A Service.
A service can be started under a different user account (either on the local machine or on the domain).
This setting can be modified at
  1. Control Panel > Administrative Tools > [Services | Component Services > Services]
  2. Right click on the service name.
  3. Log On tab.
If a service is running but there are error thrown in the ServiceMain function loop, then try troubleshooting the below:
  1. The user may have access rights only to the particular service and not to make modifications to the Service Control Manager. Ensure that the Service to be ran does not try to modify system related settings or values. Eg. OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS) is not allowed. Try using the SC_MANAGER_CONNECT flag.

Setting Service Permission.
There is limited permission given to a normal user account to manipulate a service. Starting the service with Tools as a normal user privilege will cause an “Error 5: Access is denied.” message. Try troubleshooting with the below steps one at a time:
  1. The service program (*.exe) is in a protected folder. If the service is started by a user that is not registered as the local machine user account, then the user may not have access to the folder to execute the service.
  2. The user does not have rights to execute any service related actions. Please refer to SubInACL usage below. Eg. To check if the service exist using command line: subinacl.exe /service monkeylogging. If it does the result will display the service details and Permission ACS (PACE). Eg. To change the service permission using command line: subinacl.exe /service \\[ComputerName]\[ServiceName] /grant=[domain]\[username]=F. The service PACE should now show the new permission “/pace =[domain]\[username] ...”. Reference Setting Service permissions with subinacl.exe. SubInACL (SubInACL.exe) is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. This is part of the Windows Resource Kits and by default will be installed in C:\Program Files\Windows Resource Kits\Tools. For command line arguments, refer to C:\Program Files\Windows Resource Kits\Tools\subinacl.htm.

No comments: