Windows Unprivileged - Service Control Manager
Granting Permissions to the Service Control Manager
This is a continuation of the post on Windows Services.
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!
If you want an unprivileged user to be able to create services, you can give him access to the Service Control Manager.
First, create a resource group, then add the resource group to the Service Control Manager’s ACL, then add users to the resource group.
PS C:\> New-LocalGroup RG_SCManager-0x0002|Format-List
Description :
Name : RG_SCManager-0x0002
SID : S-1-5-21-344341352-2539047333-2300305637-1019
PrincipalSource : Local
ObjectClass : Group
PS C:\> sc.exe sdshow scmanager
D:(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;KA;;;S-1-5-21-344341352-2539047333-2300305637-1017)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
PS C:\> sc.exe sdset scmanager "D:(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;0x2;;;S-1-5-21-344341352-2539047333-2300305637-1017)(A;;CC;;;AC)(A;;2;;;S-1-5-21-344341352-2539047333-2300305637-1019)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"
[SC] SetServiceObjectSecurity SUCCESS
PS C:\> Add-LocalGroupMember RG_SCManager-0x0002 benoit
PS C:\>
An accessmask of 0x2 allows creating services, says Service Security and Access Rights.
This allows user benoit to create his service (including as a service to be run by LocalSystem) but not, luckily, to change its permissions. User benoit cannot start the service or change its startmode to run it at boot.
PS C:\GeneralTestService> sc.exe create BenoitService binpath=C:\GeneralTestService\BenoitService.exe
[SC] CreateService SUCCESS
PS C:\GeneralTestService> sc.exe qc BenoitService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BenoitService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\GeneralTestService\BenoitService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BenoitService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
PS C:\GeneralTestService> sc.exe start BenoitService
[SC] StartService: OpenService FAILED 5:
Access is denied.
PS C:\GeneralTestService> sc.exe sdshow BenoitService
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
PS C:\GeneralTestService> (Get-LocalUser benoit).SID
BinaryLength AccountDomainSid Value
------------ ---------------- -----
28 S-1-5-21-344341352-2539047333-2300305637 S-1-5-21-344341352-2539047333-2300305637-1002
PS C:\GeneralTestService> sc.exe sdset BenoitService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-344341352-2539047333-2300305637-1002)"
[SC] OpenSCManager FAILED 5:
Access is denied.
PS C:\GeneralTestService> sc.exe config BenoitService start=auto
[SC] OpenService FAILED 5:
Access is denied.
PS C:\GeneralTestService>
I cannot say whether this is safe enough, but it does allow an unprivileged user to create a service without having an immediate way to become a privileged user. Of course, a privileged user would now have to create the service’s resource group, add the resource group to the service’s ACL and add user benoit to the resource group.
Next: Administrator Services