Windows Service running with Local System rights, wants to create child processes from windows service which will running with Local User rights

Question

I am working on windows service application where currently it is running on administrator privileges. For that I need to set administrator info in service log on settings. Above windows service is creating child processes with local user privileges. This is working fine.

Now I want to change windows service application to run with "Local System" privileges instead of administrator. But if I change the log on setting to "Local System" then, Child processes are not starting and throws exception "access denied".

I think that "local system" account has all permission to do anything. It is even stronger than administrator account. Then why it cannot start child processes?

Please guide me if my perception is wrong

Answer 1

Local System certainly DOES NOT have "all permission to do anything". That would mean that if someone managed to get INTO that process.. they could really run amok on the system.

Group Policy Editor will show you EXACTLY who can do what so you don't need to guess your way through.

1. Open GPEDIT.MSC
2. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. On the right hand side, Look for Obtain an impersonation token for another user in the same session.

I am not 100% sure that this is the setting you need (I haven't tried it) but I THINK it is. Even if it isn't, browse around this section of group policy to see who can do what. Clearly the setting you want won't have "Local System" on the list ;)

I hope this helps. :) GOOD LUCK!