I have a Windows Service that runs, and currently, it runs under whatever account installed the service onto the computer.
Is there some way, using code, that I can switch the active user that the service runs as, dynamically, without any user interaction or GUI? I'm a little inexperienced when it comes to services, so I'm not sure if this is possible. Any info on the topic would be appreciated. (VB and C# code is okay)
Assuming you included a class that inherits from Installer as part of your service code to handle the service installation you can change the Account for the Service Process Installer component to specify LocalService, NetworkService, LocalSystem or User. However, if you specify User then you will either need to encode the username and password in the code. If you set it to User and don't provide these values then when InstallUtil.exe is run to install the service it will prompt for the Username and Password.
Related
I have Windows service created with C#, but this service is working good when I start manually.
If I want to set automatically start, this service not work correctly.
If I want to login with my account this service not work.
I have installer in my project.
What can I do?
I have an MFC app and WPF app that when run in LocalSystem user can't process any IMEs (Input Method Editors). But the same application when launched in user mode was able to receive IME inputs from keystrokes and from IMEPad.
In the LocalSystem user process, when keyboard focus is in the control (both WPF and MFC) the IME icon becomes "X" like the following image:
I can't launch in the user mode by default as I have to perform higher privileged operations with my app. I am not able to find any explicit thread in Microsoft forums or elsewhere that talks about my issue.
Have you faced this issue? This seems like a restriction in Windows rather than an issue, do you know how to work around it. Any valuable input regarding this is appreciated.
Edit:
LocalSystem account is not associated with any user. As mentioned in msdn :
The account is not associated with any logged-on user account.
This could be the reason why Windows can't enable IME on System user. It does not know the language set in the current user. Is there anyway to force/bypass to consider Logged user's locale.
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.
A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account. This has several implications:
The registry key HKEY_CURRENT_USER is associated with the default user, not the current user.
To access another user's profile,impersonate the user, then access HKEY_CURRENT_USER.
The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.
The service presents the computer's credentials to remote servers. If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions.
So if you need to run app as a LocalSystem account and you are not happy with default user settings you can 2 things:
Impersonate another user, this is common tactic (Impersonate user in Windows Service)
Set language preferences (or whatever you need) to default user. Here is an example for Win10 for and language issue (https://www.microcloud.nl/windows-virtual-desktop-dutch-language-pack/#more-1311).
Demystifying error - If you are using VS, you can try enable more logging, https://learn.microsoft.com/en-us/visualstudio/ide/reference/devenv-command-line-switches?view=vs-2022 and figure out what the tool is not able to get from default user. You also can attach VS debugger to running process, see msdn article (https://learn.microsoft.com/en-us/visualstudio/debugger/attach-to-running-processes-with-the-visual-studio-debugger?view=vs-2022)
We have a machine that basically runs as a local system in kiosk mode by auto-logging in as a local machine user.
The user needs to launch a program that runs in a domain account. What we've done in the past is to encrypt the domain, user and password details in a file. Then decrypt them to launch the program (C# Process.Start). This program needs a domain account to use Windows authentication for accessing a SQLServer database.
However this is a security hole, the decryption password is inside the launcher program so someone could inspect the code and get access to a domain account.
Also, we cannot require the users to type in the account details, the users don't know these details, it's a one user for all type of account.
One thought is maybe there's a way to store an access token that I could use to launch the domain program. At least in that scenario the access token wouldn't have the clear text of the password. I looked at Windows Credential Manager but that seems mainly to be used for web sites and wants to store details as text.
Another option I'm investigating is a Windows service. The service would run in a third account and would hold the "secrets". However, I'm not sure how I would launch a process for the kiosk user and have it work properly with the user desktop / UI.
I am developing a Windows Application which will be installed as Windows Service.
This installation requires a administrator user and it's password.
Is there any way to recover the user and the password used to start this service in C# programmatically?
The simplest supported solution would be to store another copy of the password somewhere, perhaps using CryptProtectData and CryptUnprotectData.
You might be able to retrieve the password used by the service manager using LsaRetrievePrivateData. Apparently the name of the secret is the service name (note: the internal service name specified by lpServiceName in CreateService, not the service display name). It isn't clear what security context you need to be in to do this. Even if it works, this is not a supported technique.
Or you could install a credential manager to capture the password when the service starts. IIRC, this installation requires a reboot.
I was wondering what privileges I needed to let a user start a service on our server.
The situation is as follows, some people on our website can start a certain service on the server (Windows 2008 and IIS7). The way that worked so far with me was specifying the application pool I created with my user account (the impersonate method from msdn doens't work for some reason). Now however I want to change that user account to a user account who only has the priviliges to start and stop a service (and everything that is needed to get him to do that).
The website is written in ASP.NET and C#. I use the ServiceController to start and stop my services.
Which privileges should I assign to that user?
EDIT: I just want to clear some things up here. I managed to get this thing working through the Application pool (although it doesn't work through debugger). But it only works with a user that is part of the Administrators group which isn't what I want. I want to specify a special user that will only be able to start and stop the service through the website. So what privileges do I need? Please be specific.
EDIT 2: I found out why my service wouldn't start in the debugger. I didn't run Visual Studio with administrator rights. I feel so stupid right now.. Anyway the question still stands as I still need my special user with the correct permissions.
Any comment will be appreciated!
Kind regards,
Floris Devriendt
You have to set identity impersonate to true in your web.config and if you are using windows authentication then need to set that up in IIS. if you are using a WCF service in between you may have to look at Impersonation in WCF.
(Terminology gripe) - you shouldn't be looking at privileges, since those apply across a machine as a whole. You should be looking at permissions.
There's an answer here about allowing remote users to start and stop a service. You may need to run the same steps to allow the account your website is under the specific permissions, that is:
Copy the IA users permissions on the scmanager, to allow a non-interactive user to access the service controller, and
Add appropriate permissions for your user against the specific service.
Both of these actions use the sc command line tool. Hopefully, you can crib enough together for your specific circumstances. Something like:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
where S-1-5-3-3127463467463 is the SID for the website account, and:
sc sdset Alerter D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;S-1-5-3-3127463467463)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
whwere Alerter is the name of the specific service, and S-1-5-3-3127463467463 is again the SID for the website account.
(Not sure whether to break up these commands to make them more readable on SO - they need to have no line-breaks when running in the command line)
you have to give the right for strating your service to the user that you are using for the application pool.
Click Start, point to Settings, click Control Panel, and then double-click Administrative Tools.
Double-click Services
On the Log On tab, click Local System Account, and then click Apply.
On the General tab, click Start to restart the service.
Quit the Services tool.