Community Pick: Many members of our community have endorsed this article.

Start / Stop a Windows Service from a non-Administrator user account

Published:
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permissions setting is much better than just giving the employee access to full administrative privileges.  You will need to be an Administrator to make these settings.

First, some background.  Primarily, there are two ways in which to Start / Stop a Windows Service:

   1. Directly accessing the service through logon Windows user account.
...or...
    2. Accessing the service through IIS using Network Service account.

Command line command to start / stop services:
C:/> net start <SERVICE_NAME>
                      C:/> net stop <SERVICE_NAME>

Open in new window


C# Code to start / stop services (using ServiceController class):
Note : Add a reference to System.ServiceProcess and replace SERVICE_NAME with the service of interest.

using System;
                      using System.ServiceProcess;
                      ...
                      
                      ServiceController service = new ServiceController(SERVICE_NAME);
                      
                      //Start the serviceif (service.Status == ServiceControllerStatus.Stopped)
                      {
                            service.Start();
                            service.WaitForStatus(ServiceControllerStatus.Running, TimeSpan.FromSeconds(10.0));
                      }
                      
                      //Stop the service
                      if (service.Status == ServiceControllerStatus.Running)
                      {
                            service.Stop();
                            service.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(10.0));
                      }

Open in new window


1. Direct Access Method  (Must have required permissions)

If the Windows User Account from which either you give the command or run the code is a non-Admin account, then you need to set the privileges to that particular user account so it has the ability to start and stop Windows Services. This is how you do it.

Login to an Administrator account on the computer which has the non-Admin account from which you want to Start/Stop the service. Open up the command prompt and give the following command:

C:/>sc sdshow <SERVICE_NAME>

Open in new window

Output of this will be something like this:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Open in new window

It lists all the permissions each User / Group on this computer has with regards to <SERVICE_NAME>.

Here's a  description of one part of above command:

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

It has the default owner, default group, and it has the Security descriptor control flags (A;;CCLCSWRPWPDTLOCRRC;;;SY):

ace_type - "A": ACCESS_ALLOWED_ACE_TYPE,
ace_flags - n/a,
rights - CCLCSWRPWPDTLOCRRC
CC: ADS_RIGHT_DS_CREATE_CHILD - Create a child DS object.
LC: ADS_RIGHT_ACTRL_DS_LIST - Enumerate a DS object.
SW: ADS_RIGHT_DS_SELF - Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
RP: ADS_RIGHT_DS_READ_PROP - Read the properties of a DS object.
WP: ADS_RIGHT_DS_WRITE_PROP - Write properties for a DS object.
DT: ADS_RIGHT_DS_DELETE_TREE - Delete a tree of DS objects.
LO: ADS_RIGHT_DS_LIST_OBJECT - List a tree of DS objects.
CR: ADS_RIGHT_DS_CONTROL_ACCESS - Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.
RC: READ_CONTROL - The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). (This is a Standard Access Right, please read more http://msdn.microsoft.com/en-us/library/aa379607(VS.85).aspx)
object_guid - n/a,
inherit_object_guid - n/a,
account_sid - "SY": Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.

Now what we need to do is to set the appropriate permissions to Start/Stop Windows Services to the groups or users we want. In this case we need the current non-Admin user be able to Start/Stop the service so we are going to set the permissions to that user. To do that, we need the SID of that particular Windows User Account. To obtain it, open up the Registry (Start > regedit) and locate the following registry key.

LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Open in new window


Under that there is a separate Key for each an every user account in this computer, and the key name is the SID of each account. SID are usually of the format S-1-5-21-2103278432-2794320136-1883075150-1000. Click on each Key, and you will see on the pane to the right a list of values for each Key. Locate "ProfileImagePath", and by its value you can find the User Name that SID belongs to. For instance, if the user name of the account is SACH, then the value of "ProfileImagePath" will be something like "C:\Users\Sach". So note down the SID of the user account for which you want to set the permissions.  (Note: Replace KEY_NAME with the key name).

Note:
Here a simple C# code sample which can be used to obtain a list of said Keys and their values.
using System;
                      using Microsoft.Win32;
                      using System.IO;
                       ...
                      
                      //LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList RegistryKey
                      RegistryKey profileList = Registry.LocalMachine.OpenSubKey( KEY_NAME );
                      
                      //Get a list of SID corresponding to each account on the computer
                      string[] sidList = profileList.GetSubKeyNames();
                      
                      foreach (string sid in sidList)
                      {
                          //Based on above names, get 'Registry Keys' corresponding to each SID
                          RegistryKey profile = Registry.LocalMachine.OpenSubKey(Path.Combine( KEY_NAME,  sid));
                      
                          //SID
                          string strSID = sid;
                          //UserName which is represented by above SID	
                          string strUserName = (string)profile.GetValue("ProfileImagePath");
                      }

Open in new window


Now that we have the SID of the user account we want to set the permissions to, let's get down to it. Let's assume the SID of the user account is S-1-5-21-2103278432-2794320136-1883075150-1000.

Copy the output of the [sc sdshow <SERVICE_NAME>] command to a text editor. It will look like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Open in new window


Now, copy the (A;;CCLCSWRPWPDTLOCRRC;;;SY) part of the above text, and paste it just before the S:(AU;... part of the text. Then change that part to look like this:
(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)

Open in new window


Then add sc sdset <SERVICE_NAME> at the front, and enclose the above part with quotes. Your final command should look something like the following:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Open in new window

Now execute this in your command prompt, and it should give the output as follows if successful:
[SC] SetServiceObjectSecurity SUCCESS

Open in new window

Now we're good to go! Your non-Admin user account has been granted permissions to Start/Stop your service!  Try logging in to the user account and Start/Stop the service and it should let you do that.

2. Access through IIS Method

In this case, we need to grant the permission to the IIS user "Network Services" instead of the logon Windows user account. The procedure is the same, only the parameters of the command will be changed. Since we set the permission to "Network Services", replace SID with the string "NS" in the final sdset command we used previously. The final command should look something like this:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Open in new window


Execute it in the command prompt from an Admin user account, and voilĂ ! You have the permission to Start / Stop the service from any user account (irrespective of whether it is an Admin account or not) using a WebMethod.

Note:
When accessing the service through IIS, create a Visual Studio C# ASP.NET Web Application and put the code in there.  Deploy the WebService to the IIS Root Folder (e.g., C:\inetpub\wwwroot\<WebServiceName>) and you're good to go.
Access it by the url http://<MACHINE_NAME>/<WebServiceName>
1
13,917 Views

Comments (1)

Author

Commented:
Thank you younghv
Let me know if you need any further assistance.
Regards

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.