What are the minimum user permissions required to install a Windows service?

What are the minimum user permissions required to install a Windows service? What are the minimum user permissions required to install a Windows service?
Asked by: Guest \| Views: 289

Total answers/comments: 1

Comments display order:

Guest [Entry]

"Administrative privileges for security reasons.

Only processes with Administrative privileges are able to open handles to the SCM (Service Control Manager) that can be used by the CreateService and LockServiceDatabase functions (see the MSDN article for details). In the article, you'll see that, for permissions to create a service you need the access right SC_MANAGER_CREATE_SERVICE (0x0002), which is included in the generic access right, GENERIC_WRITE. If you look a little further down the page, you'll see that only Administrators have access to this through SC_MANAGER_ALL_ACCESS. The same goes for using InstallUtil.exe to install a .NET Windows service, as InstallUtil calls the native CreateService function.

An application installing a service would go through one of the two methods. It sounds like a very logical design which prevents security issues, as explained here:

Actually, this design in Windows makes
sense. It is the result of security
consideration. Windows Service
normally runs under a high privilege
account, if a normal account can
install an unknown service, it is easy
for the malicious user to elevate his
privilege. For example, he can use
installutil.exe to install a hack
service which runs under Local Service
account. Then, when the service runs
the entire machine will be controlled
by the hacker with normal user
account. This is really a security
hole. So Windows only allows
Administrators to install a service."