Link to home
Start Free TrialLog in
Avatar of tavseth
tavseth

asked on

How to find StartName accounts for use with service installation

Hi,

I am attempting to find a list of the users available to run a service (StartName). I have unsuccessfully sought good info on this topic, and I find that even the SCM doesn't list all the service StartName users available.

Names that should be returned would be along the line of:

  NT AUTHORITY\LocalService
  LocalSystem
  .\ASPNET
  NT AUTHORITY\NETWORK SERVICE
  NT AUTHORITY\NetworkService

is there a way for me to do this, preferrably in Delphi? Do you know of any good sources for info on this topic?


Kind regards,
Tor Avseth
Avatar of Lukasz Zielinski
Lukasz Zielinski
Flag of Poland image

take a look at WMI esp. Win32_Service class
You can download WMI components from http://www.online-admin.com/wmiset.html

ziolko.
Avatar of tavseth
tavseth

ASKER

See, I already have the WMIset from online-admin, and I have used e.g. the WMIquery which they supply. I can read the different StartNames that are used with the currently installed services.

However, what I want is to fill e.g. a list box with the names that I may legally (or practically) use for StartName when installing a service...


-Tor
look at: LsaEnumerateAccountsWithUserRight() maybe this will help
i think that account should have SE_SERVICE_LOGON_NAME privilage

ziolko.
Maybe you could see these links

It's in French but the unit is in English:
http://tothpaul.free.fr/sources.php?tools.ntservice (He wrote the Book Delphi 7 Studio - Publisher :Eyrolles)
See the code in the NTService.zip if it can help you

See also (German Site - also in English)

http://assarbad.net/en/stuff
and on the same site :
http://assarbad.net/en/stuff/tutorials/ntsvc/




>i think that account should have SE_SERVICE_LOGON_NAME privilage
AFAIK: depending on what the service needs to access, the user used will need the logon as a service right before anything else. I personally never set that privilage for any user account I used for services.

also keep in mind that you will have to precede the name with a ".\" to mark local machine ;)
ciuly  as i understand question it's not about setting privileges but enumerating accounts which can be used to run service
like i said I THINK that it's that priv

ziolko.
Avatar of tavseth

ASKER

Ziolko,

that is right, I wish to list the users that have permission to run services. I might toss in an admin-rights prerequisite as well later..

My intention is to make the UI as simple as possible, to reduce the amount of traffic on customer support. So I wish to do most of the thinking for the admin... ;)

Currently looking across the net for more on the leads you gave me, it seems Colin Wilson's Delphi pages contain utilities that I can use to access LSA. Too bad I am a bit of a rookie and not knowing how to use it yet.
 

Rgds, Tor
ziolko, I understood what he wanted. but I know for a fact that a user needs the logon as a service priv (SeServiceLogonRight) in order for a service to be run under that users context.
so what I was trying to say is that indeed use that enum function, but use another priv which makes sure you will get correct accounts ;)

what I do for my tipical applications is create a user then grant about 22 privileges (this makes sure that my service is allowed to do most stuff, including networking, registry and suer management, without being in teh admin group). but SeServiceLogonRight IS the one that is needed 100% in order for a service to be able to start under a specified user. the rest depend on what the service needs to do.

and ... I don't set the SE_SERVICE_LOGON_NAME name :)
hehe. I just did some googeling and found
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")

so we were talking about the same thing :))
ASKER CERTIFIED SOLUTION
Avatar of Russell Libby
Russell Libby
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tavseth

ASKER

Russel,

this looks to be working wonders. Short the definition of NTSERVICE and MAX_BUFFER your code was paste and play.

I do wonder though, how it is I don't get the LocalSystem or NT AUTHORITY\LocalService returned? LocalService and LocalSystem seems to run most of the services installed on my computer, then why don't they show up in this lookup? If I make another lookup towards SeIncreaseQuotaPrivilege, I do get the NT-AUTHORITY\Local Service


Do you know?

Regards, Tor



PS: I added some privilege names (though they're irrelevant when it comes to starting services?) copied from C.Wilson:

  SE_CREATE_TOKEN_NAME              = 'SeCreateTokenPrivilege';
  SE_ASSIGNPRIMARYTOKEN_NAME        = 'SeAssignPrimaryTokenPrivilege';
  SE_LOCK_MEMORY_NAME               = 'SeLockMemoryPrivilege';
  SE_INCREASE_QUOTA_NAME            = 'SeIncreaseQuotaPrivilege';
  SE_UNSOLICITED_INPUT_NAME         = 'SeUnsolicitedInputPrivilege';
  SE_MACHINE_ACCOUNT_NAME           = 'SeMachineAccountPrivilege';
  SE_TCB_NAME                       = 'SeTcbPrivilege';
  SE_SECURITY_NAME                  = 'SeSecurityPrivilege';
  SE_TAKE_OWNERSHIP_NAME            = 'SeTakeOwnershipPrivilege';
  SE_LOAD_DRIVER_NAME               = 'SeLoadDriverPrivilege';
  SE_SYSTEM_PROFILE_NAME            = 'SeSystemProfilePrivilege';
  SE_SYSTEMTIME_NAME                = 'SeSystemtimePrivilege';
  SE_PROF_SINGLE_PROCESS_NAME       = 'SeProfileSingleProcessPrivilege';
  SE_INC_BASE_PRIORITY_NAME         = 'SeIncreaseBasePriorityPrivilege';
  SE_CREATE_PAGEFILE_NAME           = 'SeCreatePagefilePrivilege';
  SE_CREATE_PERMANENT_NAME          = 'SeCreatePermanentPrivilege';
  SE_BACKUP_NAME                    = 'SeBackupPrivilege';
  SE_RESTORE_NAME                   = 'SeRestorePrivilege';
  SE_SHUTDOWN_NAME                  = 'SeShutdownPrivilege';
  SE_DEBUG_NAME                     = 'SeDebugPrivilege';
  SE_AUDIT_NAME                     = 'SeAuditPrivilege';
  SE_SYSTEM_ENVIRONMENT_NAME        = 'SeSystemEnvironmentPrivilege';
  SE_CHANGE_NOTIFY_NAME             = 'SeChangeNotifyPrivilege';
  SE_REMOTE_SHUTDOWN_NAME           = 'SeRemoteShutdownPrivilege';
These 2 built-in accounts are not recognized by the security security subsystem (eg, you cant specify either name in a call to the LookupAccountName function), so I would venture this might have something to do with it. But when dealing with service logon rights, it would be correct in adding both these accounts to your list.

-- LocalSystem Account --
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored.

-- LocalService Account --
The LocalService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and presents anonymous credentials on the network. The name of the account in all locales is NT AUTHORITY\LOCALSERVICE. This account does not have a password. If you specify the LocalService account in a call to the CreateService function, any password information you supply is ignored

---

Russell


Avatar of tavseth

ASKER

I simply have no further questions...


-Tor  :)