469,580 Members | 1,923 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,580 developers. It's quick & easy.

Service running as [user] rather than [system]

Hi,

I have a service that need to access the current user registry from time to
time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims
Jul 21 '05 #1
15 1766
You can always start a service as a particular user. Just goto services,
select your service and take the properties, there you can see a LogOn tab,
and choose Log on as "This account" option, and give the user name, passwd.

"Sims" <si*********@hotmail.com> wrote in message
news:u0**************@tk2msftngp13.phx.gbl...
Hi,

I have a service that need to access the current user registry from time to time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims

Jul 21 '05 #2
You can always start a service as a particular user. Just goto services,
select your service and take the properties, there you can see a LogOn tab, and choose Log on as "This account" option, and give the user name, passwd.


Thanks,

But how can i do that programmatically?
When i install the service i don't see an option to install it as 'This
account' rather.
I can do it manually but i want the install procedure to do it itself.

Sims
Jul 21 '05 #3
On Sat, 7 Feb 2004 09:49:32 UTC, "Sims" <si*********@hotmail.com> wrote:
You can always start a service as a particular user. Just goto services,
select your service and take the properties, there you can see a LogOn

tab,
and choose Log on as "This account" option, and give the user name,

passwd.


Thanks,

But how can i do that programmatically?
When i install the service i don't see an option to install it as 'This
account' rather.
I can do it manually but i want the install procedure to do it itself.

Sims

Sims,

Recheck the CreateService call. There are two fields that are pointers
to the Account UserID and Password to run under. If these fields are
passed in as NULL, the SYSTEM Account is used. That is how you can
set up for a specific user. You can also change this later if need be.

An alternate method is to change the SID to get access of a specific
user. I've not figured all that out yet so I can't point you to a
source. That would be used when your service needs to work under
several different accounts at the same time.

Good luck,

David

Jul 21 '05 #4
>
Recheck the CreateService call. There are two fields that are pointers
to the Account UserID and Password to run under. If these fields are
passed in as NULL, the SYSTEM Account is used. That is how you can
set up for a specific user. You can also change this later if need be.

An alternate method is to change the SID to get access of a specific
user. I've not figured all that out yet so I can't point you to a
source. That would be used when your service needs to work under
several different accounts at the same time.


Hi,

Thanks David and Tom for the replies.
The problem is that the user runs the install program. During the install i
instruct the service to be installed but i do not know the user password and
user name.
If i could retrieve it during install then it would be great, but i cannot.

Even if i had a 'runonce' option to install the service per user i still
would not be able to get the user name and password.
My install program cannot retrieve the user name and password.

Sims.
Jul 21 '05 #5
I have a service that need to access the current user registry from time to time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims


Hi again,

Further to my posts...
Is there anyway that the [system] service could launch an application as the
current user?

Sims
Jul 21 '05 #6
Tim
Sims,

Just do what many other installs do: prompt the user appropriately for the
username and password for the user under which it is to run the service. If
you are running XP or later you can use the CredUIPromptForCredentials API
to validate the information give (invisibly of course - check the dwFlags).
Either that or you can go ahead and create the service and try starting it
check the return code...

SQL Server install does this as do many others. There is no way I know of to
bypass such a mechanism - even windows itself can do this during its own
install.

When the username / password is stored by CreateService, it is stored using
a "LSA Secret". This is information stored in a particular place in the
registry using reversable encryption and keys the system know but in this
case you don't - it is "safe".

- Tim


"Sims" <si*********@hotmail.com> wrote in message
news:#h**************@tk2msftngp13.phx.gbl...
I have a service that need to access the current user registry from time to
time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims


Hi again,

Further to my posts...
Is there anyway that the [system] service could launch an application as

the current user?

Sims

Jul 21 '05 #7

"Sims" <si*********@hotmail.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Further to my posts...
Is there anyway that the [system] service could launch an application as
the
current user?

Sims

There is no need to do so, just create a new logon session by calling
Win32's API "LogonUser" and use the token obtained to impersonate.

Search the KB, it contains articles an samples on how to call LogonUser from
..NET.

Willy.


Jul 21 '05 #8
Sims,

It is not a good practice to access HKEY_CURRENT_USER from a service - what
happens if that user no longer has a local profile on the machine.
Additionally, the term "current user" does not always make sense for a
service - what happens if no user is logged on...

If you need to access the registry from the service, consider using
HKEY_LOCAL_MACHINE instead.

regards
roy fine

"Sims" <si*********@hotmail.com> wrote in message
news:u0**************@tk2msftngp13.phx.gbl...
Hi,

I have a service that need to access the current user registry from time to time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims

Jul 21 '05 #9

It is not a good practice to access HKEY_CURRENT_USER from a service - what happens if that user no longer has a local profile on the machine.
Additionally, the term "current user" does not always make sense for a
service - what happens if no user is logged on...

If you need to access the registry from the service, consider using
HKEY_LOCAL_MACHINE instead.


Didn't think of that, i will look at it.
Thanks
Jul 21 '05 #10
Unless you have a very specific requirement, use HKEY_LOCAL_MACHINE instead.

One of the ideas behind running a process under the SYSTEM account is that
it cannot do these types of things.
--
____________________
Klaus H. Probst, MVP
http://www.vbbox.com/

"Sims" <si*********@hotmail.com> wrote in message
news:u0**************@tk2msftngp13.phx.gbl...
Hi,

I have a service that need to access the current user registry from time to time.
But a service only works as a SYSTEM and not as the current user.

How can i change that? Or at the very least get the service to launch an
application as the current user and not the SYSTEM

Many thanks

Sims

Jul 21 '05 #11
Unless you have a very specific requirement, use HKEY_LOCAL_MACHINE instead.
One of the ideas behind running a process under the SYSTEM account is that
it cannot do these types of things.


I agree, but my problem goes all the way back to installation.
The users cannot install the service, (they cannot install anything in
fact), only the administrator can, so what i wanted to do was to run the
install as an administrator and ensure that the service gets started as
current user.
Maybe if i use HKEY_LOCAL_MACHINE it will solve the problem to a certain
level.

That should apply to future users.
Maybe my problem is more to do with installations rather than services
themselves.

For example when i installed MS Word it was installed for all users, (new
and old).

Sims

Jul 21 '05 #12
A service can spawn a process with a currently logged on user credentials
(if that's what you want), without need to know those credentials.

To start a _service_ with user's credentials, the user also should have
"Logon as service" privilege, which you may not want to allow.

"Sims" <si*********@hotmail.com> wrote in message
news:ey*************@tk2msftngp13.phx.gbl...
Unless you have a very specific requirement, use HKEY_LOCAL_MACHINE

instead.

One of the ideas behind running a process under the SYSTEM account is that it cannot do these types of things.


I agree, but my problem goes all the way back to installation.
The users cannot install the service, (they cannot install anything in
fact), only the administrator can, so what i wanted to do was to run the
install as an administrator and ensure that the service gets started as
current user.
Maybe if i use HKEY_LOCAL_MACHINE it will solve the problem to a certain
level.

That should apply to future users.
Maybe my problem is more to do with installations rather than services
themselves.

For example when i installed MS Word it was installed for all users, (new
and old).

Sims

Jul 21 '05 #13

"Alexander Grigoriev" <al***@earthlink.net> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
A service can spawn a process with a currently logged on user credentials
(if that's what you want), without need to know those credentials.
How would you do that then?

To start a _service_ with user's credentials, the user also should have
"Logon as service" privilege, which you may not want to allow.


Indeed.

Idealy the service would sprawn a process with the currently logged in user.

Thanks
Sims
Jul 21 '05 #14
You need to get a token for a currently logged on user. Then call
CreateProcessAsUser
To get a token you may need to open the current window station in the
current terminal session, and quite a few more steps. I don't remember all
of that.

"Sims" <si*********@hotmail.com> wrote in message
news:eB**************@TK2MSFTNGP10.phx.gbl...

"Alexander Grigoriev" <al***@earthlink.net> wrote in message
news:O5**************@TK2MSFTNGP10.phx.gbl...
A service can spawn a process with a currently logged on user credentials (if that's what you want), without need to know those credentials.
How would you do that then?

To start a _service_ with user's credentials, the user also should have
"Logon as service" privilege, which you may not want to allow.


Indeed.

Idealy the service would sprawn a process with the currently logged in

user.
Thanks
Sims

Jul 21 '05 #15

"Sims" <si*********@hotmail.com> wrote in message
news:ey*************@tk2msftngp13.phx.gbl...
Unless you have a very specific requirement, use HKEY_LOCAL_MACHINE

instead.

One of the ideas behind running a process under the SYSTEM account is that it cannot do these types of things.


I agree, but my problem goes all the way back to installation.
The users cannot install the service, (they cannot install anything in
fact), only the administrator can, so what i wanted to do was to run the
install as an administrator and ensure that the service gets started as
current user.


OK. But this is a separate problem - why not use MSI? It has built-in
support for that kind of thing. That's how you can install Office on a box
without requiring the user to be an admin.
--
____________________
Klaus H. Probst, MVP
http://www.vbbox.com/

Jul 21 '05 #16

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by mailme.faisal | last post: by
3 posts views Thread by Doug Bailey | last post: by
5 posts views Thread by Andrew | last post: by
8 posts views Thread by Rob R. Ainscough | last post: by
33 posts views Thread by JamesB | last post: by
2 posts views Thread by =?Utf-8?B?bXVyYWRqYW1lcw==?= | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.