Windows Unprivileged - Service Control Manager

Granting Permissions to the Service Control Manager

This is a continuation of the post on Windows Services.

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!

If you want an unprivileged user to be able to create services, you can give him access to the Service Control Manager.

First, create a resource group, then add the resource group to the Service Control Manager’s ACL, then add users to the resource group.

PS C:\> New-LocalGroup RG_SCManager-0x2|Format-List

Description     :
Name            : RG_SCManager-0x2
SID             : S-1-5-21-344341352-2539047333-2300305637-1019
PrincipalSource : Local
ObjectClass     : Group

PS C:\> sc.exe sdshow scmanager

D:(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;KA;;;S-1-5-21-344341352-2539047333-2300305637-1017)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
PS C:\> sc.exe sdset scmanager "D:(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;0x2;;;S-1-5-21-344341352-2539047333-2300305637-1017)(A;;CC;;;AC)(A;;2;;;S-1-5-21-344341352-2539047333-2300305637-1019)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
[SC] SetServiceObjectSecurity SUCCESS
PS C:\> Add-LocalGroupMember RG_SCManager-0x2 benoit
PS C:\>

An accessmask of 0x2 allows creating services, says Service Security and Access Rights.

This allows user benoit to create his service (including as a service to be run by LocalSystem) but not, luckily, to change its permissions. User benoit cannot start the service or change its startmode to run it at boot.

PS C:\GeneralTestService> sc.exe create BenoitService binpath=C:\GeneralTestService\BenoitService.exe
[SC] CreateService SUCCESS
PS C:\GeneralTestService> sc.exe qc BenoitService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BenoitService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\GeneralTestService\BenoitService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BenoitService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
PS C:\GeneralTestService> sc.exe start BenoitService
[SC] StartService: OpenService FAILED 5:

Access is denied.

PS C:\GeneralTestService> sc.exe sdshow BenoitService

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
PS C:\GeneralTestService> (Get-LocalUser benoit).SID

BinaryLength AccountDomainSid                         Value
------------ ----------------                         -----
          28 S-1-5-21-344341352-2539047333-2300305637 S-1-5-21-344341352-2539047333-2300305637-1002


PS C:\GeneralTestService> sc.exe sdset BenoitService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-344341352-2539047333-2300305637-1002)"
[SC] OpenSCManager FAILED 5:

Access is denied.

PS C:\GeneralTestService> sc.exe config BenoitService start=auto
[SC] OpenService FAILED 5:

Access is denied.

PS C:\GeneralTestService>

I cannot say whether this is safe enough, but it does allow an unprivileged user to create a service without having an immediate way to become a privileged user. Of course, a privileged user would now have to create the service’s resource group, add the resource group to the service’s ACL and add user benoit to the resource group.

Next: Privileged Services