Prev: Prevent Dr Watson error handling
Next: How are Windows Connected to Processes?
From: David F. on 1 Mar 2010 13:51
Hello,

Not sure of any other group to ask in ..

I've been getting various reports of normal users (under Win7) not being
able to start one of our services - access denied. However with eleveated
command prompt users can net start it. Here is the code that installs the
service. Is there a difference in win7? Are some users not part of the
"users" group?

BOOL AddDriverToReg(void)
{
BOOL result=FALSE;

DebugPrint((DEBUGinfo, 0, "Adding driver as service"));

// use the CreateService API to add the service
SC_HANDLE hscmanager;
if ((hscmanager=OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS))!=NULL) {
SC_HANDLE hservice;
if ((hservice=CreateService(hscmanager, // handle to scm
database
gDriverName, // name of
service
gDriverName, // display name
SERVICE_ALL_ACCESS, // desired
access
SERVICE_KERNEL_DRIVER, // service type
SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control
type
gServicePath, // path to
service binary (required or CreateService error 57h)
NULL, // load order
NULL, // tag
NULL, // depednencies
NULL, // account
(localsystem)
NULL))!=NULL) { // password
(none)
// change permissions to allow normal users to start/stop the service
BYTE sdbuf[1024];
PSECURITY_DESCRIPTOR psd=(PSECURITY_DESCRIPTOR) &sdbuf;
DWORD bytes;
if (QueryServiceObjectSecurity(hservice, DACL_SECURITY_INFORMATION,
psd, sizeof(sdbuf), &bytes)) {
// get DACL
BOOL daclpresent, dacldefault;
ACL *acl;
if (GetSecurityDescriptorDacl(psd, &daclpresent, &acl,
&dacldefault)) {
// build new ACL
EXPLICIT_ACCESS ea;
BuildExplicitAccessWithName(&ea, _T("USERS"),
SERVICE_START|SERVICE_STOP|READ_CONTROL, SET_ACCESS, NO_INHERITANCE);
// setup new acl
ACL *pnewacl=NULL;
if (SetEntriesInAcl(1, &ea, acl, &pnewacl)==ERROR_SUCCESS) {
// initlaize new security descriptor
if (InitializeSecurityDescriptor(psd,
SECURITY_DESCRIPTOR_REVISION)) {
// setup the new dacl in desciprtor
if (SetSecurityDescriptorDacl(psd, TRUE, pnewacl, FALSE)) {
// set the new dacl for the service object
if (!SetServiceObjectSecurity(hservice,
DACL_SECURITY_INFORMATION, psd)) {
DebugPrint((DEBUGwarn, 0, "Unable to
SetServiceObjectSecurity (%Xh)", GetLastError()));
}
}
else {
DebugPrint((DEBUGwarn, 0, "Unable to
SetSecurityDescriptorDacl (%Xh)", GetLastError()));
}
}
else {
DebugPrint((DEBUGwarn, 0, "Unable to
InitializeSecurityDesciptor (%Xh)", GetLastError()));
}
// clean up
LocalFree((HLOCAL)pnewacl);
}
else {
DebugPrint((DEBUGwarn, 0, "Unable to SetEntriesInAcl (%Xh)",
GetLastError()));
}
}
else {
DebugPrint((DEBUGwarn, 0, "Unable to GetSecurityDescriptorDacl
(%Xh)", GetLastError()));
}
}
else {
DebugPrint((DEBUGwarn, 0, "Unable to query service object security
(%Xh)", GetLastError()));
}
// close handle
CloseServiceHandle(hservice);
result=TRUE;
}
else {
if (GetLastError()==ERROR_SERVICE_EXISTS) {
result=TRUE;
DebugPrint((DEBUGinfo, 0, "Service Already Exists"));
}
// error creating service
else {
DebugPrint((DEBUGinfo, 0, "CreateService failed (%Xh)",
GetLastError()));
}
}
// close service manager
CloseServiceHandle(hscmanager);
}
else {
// problem accessing service manager
DebugPrint((DEBUGinfo, 0, "Unable to open service control manager
(%Xh)", GetLastError()));
}

return(result);
}


From: David F. on 1 Mar 2010 14:06
if nobody else knows/sees anything, i just bumped up the buffer from 1024 to
(static - doesn't need to be thread safe) 8192 since the docs say that is
the max size in case that was the issue some have.

"David F." <df2705(a)community.nospam> wrote in message
news:43AA7280-A5E6-44CD-BB3A-7C5A9BE68612(a)microsoft.com...
> Hello,
>
<snip> // change permissions to allow normal users to start/stop the
service
> BYTE sdbuf[1024];
<snip>

From: nick on 2 Mar 2010 09:16
Do you mean that it works when you bumped up the buffer from 1024 to
(static - doesn't need to be thread safe) 8192 ?


"David F." <df2705(a)community.nospam> wrote in message
news:33235AF4-E6AA-43B8-A326-CF187ACF8819(a)microsoft.com...
> if nobody else knows/sees anything, i just bumped up the buffer from 1024
> to (static - doesn't need to be thread safe) 8192 since the docs say that
> is the max size in case that was the issue some have.
>
> "David F." <df2705(a)community.nospam> wrote in message
> news:43AA7280-A5E6-44CD-BB3A-7C5A9BE68612(a)microsoft.com...
>> Hello,
>>
> <snip> // change permissions to allow normal users to start/stop the
> service
>> BYTE sdbuf[1024];
> <snip>

From: David F. on 2 Mar 2010 21:23

don't know - i never have a problem here.

"nick" <nick.guz(a)nospam.com> wrote in message
news:uZLIkLhuKHA.800(a)TK2MSFTNGP04.phx.gbl...
> Do you mean that it works when you bumped up the buffer from 1024 to
> (static - doesn't need to be thread safe) 8192 ?
>
>
> "David F." <df2705(a)community.nospam> wrote in message
> news:33235AF4-E6AA-43B8-A326-CF187ACF8819(a)microsoft.com...
>> if nobody else knows/sees anything, i just bumped up the buffer from 1024
>> to (static - doesn't need to be thread safe) 8192 since the docs say that
>> is the max size in case that was the issue some have.
>>
>> "David F." <df2705(a)community.nospam> wrote in message
>> news:43AA7280-A5E6-44CD-BB3A-7C5A9BE68612(a)microsoft.com...
>>> Hello,
>>>
>> <snip> // change permissions to allow normal users to start/stop the
>> service
>>> BYTE sdbuf[1024];
>> <snip>
>

From: "Jialiang Ge [MSFT]" on 3 Mar 2010 00:43
Hello David

Could you please ask your customer to dump the security descriptor of the
service by using Sysinternals tool AccessChk
http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

For example, I dump the security attributes of a built Windows Service
(Fax) that allows everyone to start the service.

C:\Windows\system32>accesschk -C -v Fax

Accesschk v4.23 - Reports effective permissions for securable objects
Copyright (C) 2006-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

Fax
Medium Mandatory Level (Default) [No-Write-Up]
R Everyone
SERVICE_QUERY_STATUS
SERVICE_START
R NT SERVICE\Fax
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
R NT AUTHORITY\Authenticated Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL

The output shows that everyone can start the service:

R Everyone
SERVICE_QUERY_STATUS
SERVICE_START

This can help us identify whether the security was set rightly.


Regards,
Jialiang Ge
Microsoft Online Community Support

=================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================


 |  Next  |  Last
Pages: 1 2
Prev: Prevent Dr Watson error handling
Next: How are Windows Connected to Processes?