7

I have a windows service "Service1" configured to log on as "Local Service".

I built a console application to start it programmatically.

        var service = new ServiceController("Service1");
        service.Start();

I know that if I run the ConsoleApplication1 from an administrator command prompt it starts smoothly.

And if I run it without elevation I get an:

System error 5 has occurred.

Access is denied.

But, I need to start it without elevation.

Is it possible, or I have to change the way to achieve this?

Community
  • 1
  • 1
Be.St.
  • 4,101
  • 3
  • 25
  • 35
  • Sorry, but maybe I wasn't clear. It's exactly a programming issue. I'm trying to start a service from a C# WPF application, but I need to do it without elevation. – Be.St. Mar 22 '13 at 16:30
  • I've also found a solution, if you reopen the question I can share it. – Be.St. Mar 22 '13 at 16:41

5 Answers5

11

You can set the ACL for the service itself to allow this. The SetACL.exe utility makes this (somewhat) straightforward; e.g.:

SetACL.exe -on "MyService" -ot srv -actn ace -ace "n:S-1-5-32-545;p:start_stop"

This allows members of the Users group (S-1-5-32-545) to start and stop MyService.

Bill_Stewart
  • 22,916
  • 4
  • 51
  • 62
  • Whoops! Didn't work for me. In an elevated prompt the command ran OK. Service "MySQL". I chose the "Administrators" group. Tried (in a non-elevated prompt): fail: "StartService: OpenService FAILED 5: Access is denied". Reboot. Try again: same fail. – mike rodent Mar 14 '16 at 21:07
  • If you use `S-1-5-32-545`, this means Administrators and you must run elevated. – Bill_Stewart Mar 14 '16 at 21:52
  • Thanks... elevated again: this time I got the following fail: "Processing ACL of: / SetACL finished with error(s): / SetACL error message: The call to SetNamedSecurityInfo() failed / Operating system error message: Access is denied" – mike rodent Mar 14 '16 at 21:58
  • Sorry; don't know what's happening on your system. It works fine for me. – Bill_Stewart Mar 14 '16 at 22:30
5

I followed torak link and I understand this key difference concerning rights in a service:

  • a service has rights concerning the "Run as" user
  • a service has different permission to control the service (i.e. to start/stop it)

So, to start the service I need to modify the service control permission.

Well, I have done a windows service called Service1 and I made an installer with WIX. During setup I call ServiceInstall

      <ServiceInstall Id="ServiceInstaller" Type="ownProcess" Vital="yes"
       Name="Service1" DisplayName="Service1"
       Description="Service1 description"Start="demand"
       Account="NT AUTHORITY\LocalService"
       ErrorControl="ignore" Interactive="no" >
      </ServiceInstall>

Then I have a client program called TestProgram where I try to start the service:

var service = new ServiceController("Service1");
service.Start();

And obviously it doesn't start the service without elevation of TestProgram (that runs under a normal user account).

So the solution is to instruct WIX to allow members of the user group (for example) to start/stop the service, using the PermissionEx tag:

<util:PermissionEx User="Users" ServiceStart="yes" ServiceStop="yes">
</util:PermissionEx>

Hope this helps. Thank you all.

Be.St.
  • 4,101
  • 3
  • 25
  • 35
  • Great answer. Some additions: 1. Put `` tag inside `` (WiX documentation doesn't list it as a valid parent, it's a bug in the WiX documentation). 2. Don't forget to add *util* namespace declaration into `Wix` tag (at the very top of WiX file): `xmlns:util="http://schemas.microsoft.com/wix/UtilExtension"`. – Mike Keskinov Jul 28 '22 at 19:53
4

If i can add my 2 cents, here is my solution that wont require any complex App.Manifest or Windows Service modification.

The concept is simply to call "Net Start" through a process that is elevated :

public string StartServiceViaProcess(string param_strServiceName)
    {
        try
        {
            const int ERROR_CANCELLED = 1223; //The operation was canceled by the user.

            Process process = new Process();
            ProcessStartInfo startInfo = new ProcessStartInfo();
            startInfo.WindowStyle = ProcessWindowStyle.Hidden;
            startInfo.FileName = "cmd.exe";
            startInfo.Verb = "runas";
            startInfo.UseShellExecute = true;
            startInfo.Arguments = "/C net start " + param_strServiceName;
            process.StartInfo = startInfo;
            try
            {
                Process.Start(startInfo);
            }
            catch (Win32Exception ex)
            {
                if (ex.NativeErrorCode == ERROR_CANCELLED)
                    return "L'usager a annulé la demande d'exécution avec privilège.";
                else
                    throw;
            }
        }
        catch (Exception ex)
        {
            return ex.SI_ConvertToString();
        }
        return "";
    }
Simon
  • 2,266
  • 1
  • 22
  • 24
0

I don't think you can do it - It is my understanding that this is due to security reasons. Allowing malware to automatically elevate itself would be problematic.

Mike Baxter
  • 6,868
  • 17
  • 67
  • 115
0

This is the link that I followed and solved my issue.

How to Grant non-Administrators Rights to Manage Services

By default, common users with no system administrator privileges cannot manage Windows services. It means that they cannot stop, start or change the settings or permissions for such services. In some cases, it is necessary that a user had the permissions to restart or manage certain services. In this article, we’ll consider some ways to manage permissions for Windows services. In particular, we’ll show how to grant a standard user without administrative rights the permissions to start and stop a specific service...

There is no simple and convenient integrated tool to manage services permissions in Windows. We’ll consider some ways to grant a user permissions to manage service...

Demir
  • 1,787
  • 1
  • 29
  • 42