This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service. It is always best to give users only the permissions that they need to perform their job, so tweaking particular permissions setting is much better than just giving the employee access to full administrative privileges. You will
need to be an Administrator to make these settings.
First, some background. Primarily, there are two ways in which to Start / Stop a Windows Service:
1. Directly accessing the service through logon Windows user account.
2. Accessing the service through IIS using Network Service account.
Command line command to start / stop services:
C# Code to start / stop services (using ServiceController class):
C:/> net start <SERVICE_NAME>
C:/> net stop <SERVICE_NAME>
Note : Add a reference to System.ServiceProcess
and replace SERVICE_NAME with the service of interest.
1. Direct Access Method
ServiceController service = new ServiceController(SERVICE_NAME);
//Start the serviceif (service.Status == ServiceControllerStatus.Stopped)
//Stop the service
if (service.Status == ServiceControllerStatus.Running)
(Must have required permissions)
If the Windows User Account from which either you give the command or run the code is a non-Admin account, then you need to set the privileges to that particular user account so it has the ability to start and stop Windows Services. This is how you do it.
Login to an Administrator account on the computer which has the non-Admin account from which you want to Start/Stop the service.
Open up the command prompt and give the following command:
C:/>sc sdshow <SERVICE_NAME>
Output of this will be something like this:
It lists all the permissions each User / Group on this computer has with regards to <SERVICE_NAME>.
Here's a description of one part of above command:
It has the default owner, default group, and it has the Security descriptor control flags (A;;CCLCSWRPWPDTLOCRRC;;;SY):
ace_type - "A": ACCESS_ALLOWED_ACE_TYPE,
ace_flags - n/a,
rights - CCLCSWRPWPDTLOCRRC
CC: ADS_RIGHT_DS_CREATE_CHILD - Create a child DS object.
LC: ADS_RIGHT_ACTRL_DS_LIST - Enumerate a DS object.
SW: ADS_RIGHT_DS_SELF - Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
RP: ADS_RIGHT_DS_READ_PROP - Read the properties of a DS object.
WP: ADS_RIGHT_DS_WRITE_PROP - Write properties for a DS object.
DT: ADS_RIGHT_DS_DELETE_TREE - Delete a tree of DS objects.
LO: ADS_RIGHT_DS_LIST_OBJECT - List a tree of DS objects.
CR: ADS_RIGHT_DS_CONTROL_ACCESS - Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.
object_guid - n/a,
inherit_object_guid - n/a,
account_sid - "SY": Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
Now what we need to do is to set the appropriate permissions to Start/Stop Windows Services to the groups or users we want. In this case we need the current non-Admin user be able to Start/Stop the service so we are going to set the permissions to that user. To do that, we need the SID of that particular Windows User Account. To obtain it, open up the Registry (Start > regedit) and locate the following registry key.
Under that there is a separate Key for each an every user account in this computer, and the key name is the SID of each account. SID are usually of the format S-1-5-21-2103278432-279432
. Click on each Key, and you will see on the pane to the right a list of values for each Key. Locate "ProfileImagePath", and by its value you can find the User Name that SID belongs to. For instance, if the user name of the account is SACH, then the value of "ProfileImagePath" will be something like "C:\Users\Sach". So note down the SID of the user account for which you want to set the permissions. (Note: Replace KEY_NAME with the key name).
Here a simple C# code sample which can be used to obtain a list of said Keys and their values.
//LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList RegistryKey
RegistryKey profileList = Registry.LocalMachine.OpenSubKey( KEY_NAME );
//Get a list of SID corresponding to each account on the computer
string sidList = profileList.GetSubKeyNames();
foreach (string sid in sidList)
//Based on above names, get 'Registry Keys' corresponding to each SID
RegistryKey profile = Registry.LocalMachine.OpenSubKey(Path.Combine( KEY_NAME, sid));
string strSID = sid;
//UserName which is represented by above SID
string strUserName = (string)profile.GetValue("ProfileImagePath");
Now that we have the SID of the user account we want to set the permissions to, let's get down to it. Let's assume the SID of the user account is S-1-5-21-2103278432-2794320136-1883075150-1000
Copy the output of the [sc sdshow <SERVICE_NAME>] command to a text editor. It will look like this:
Now, copy the (A;;CCLCSWRPWPDTLOCRRC;;;SY)
part of the above text, and paste it just before
part of the text. Then change that part to look like this:
Then add sc sdset <SERVICE_NAME>
at the front, and enclose the above part with quotes. Your final command should look something like the following:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Now execute this in your command prompt, and it should give the output as follows if successful:
[SC] SetServiceObjectSecurity SUCCESS
Now we're good to go! Your non-Admin user account has been granted permissions to Start/Stop your service! Try logging in to the user account and Start/Stop the service and it should let you do that.
2. Access through IIS Method
In this case, we need to grant the permission to the IIS user "Network Services" instead of the logon Windows user account. The procedure is the same, only the parameters of the command will be changed. Since we set the permission to "Network Services", replace SID with the string "NS" in the final sdset
command we used previously. The final command should look something like this:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Execute it in the command prompt from an Admin user account, and voilà!
You have the permission to Start / Stop the service from any user account (irrespective of whether it is an Admin account or not) using a WebMethod.
When accessing the service through IIS, create a Visual Studio C# ASP.NET Web Application and put the code in there. Deploy the WebService to the IIS Root Folder (e.g., C:\inetpub\wwwroot\<WebServiceName
>) and you're good to go.
Access it by the url http://<MACHINE_NAME>/<WebServiceName>