Start / Stop a Windows Service from a non-Administrator user account

Asked 14/12, 2010 at 6:38 Answered 25/1, 2017 at 17:52

Solved windows-services user-accounts administrator

141

I have a WindowsService named, say, BST. And I need to give a non-Administrator user, UserA, the permissions to Start/Stop this particular service. My service runs on a variety of Windows OS, starting from Windows Server 2003 to Windows 7.

How can I do this?

I Googled and found some stuff about giving permissions using the command [sc sdset], but I am not exactly sure about the parameters. I do not want to set the permissions for a group, but ONLY to a particular user, UserA in this case.

Spree answered 14/12, 2010 at 6:38 Comment(1)

There are indeed many ways to do this, as offered below, and some more low-level/fiddly/more automatable than others. I realize the asker asked this 12 years ago, but as the answer comes up years later, I just want to recommend that for someone with the simple need Sach outlines, that Service Security Editor tool mentioned (far) below would seem the easiest solution (it's a GUI approach and it's free). Others have their place, of course. – Surbased 26/3, 2022 at 23:6

164

Below I have put together everything I learned about Starting/Stopping a Windows Service from a non-Admin user account, if anyone needs to know.

Primarily, there are two ways in which to Start / Stop a Windows Service. 1. Directly accessing the service through logon Windows user account. 2. Accessing the service through IIS using Network Service account.

Command line command to start / stop services:

C:/> net start <SERVICE_NAME>
C:/> net stop <SERVICE_NAME>

C# Code to start / stop services:

ServiceController service = new ServiceController(SERVICE_NAME);

//Start the service
if (service.Status == ServiceControllerStatus.Stopped)
{
      service.Start();
      service.WaitForStatus(ServiceControllerStatus.Running, TimeSpan.FromSeconds(10.0));
}

//Stop the service
if (service.Status == ServiceControllerStatus.Running)
{
      service.Stop();
      service.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(10.0));
}

Note 1: When accessing the service through IIS, create a Visual Studio C# ASP.NET Web Application and put the code in there. Deploy the WebService to IIS Root Folder (C:\inetpub\wwwroot\) and you're good to go. Access it by the url http:///.

1. Direct Access Method

If the Windows User Account from which either you give the command or run the code is a non-Admin account, then you need to set the privileges to that particular user account so it has the ability to start and stop Windows Services. This is how you do it. Login to an Administrator account on the computer which has the non-Admin account from which you want to Start/Stop the service. Open up the command prompt and give the following command:

C:/>sc sdshow <SERVICE_NAME>

Output of this will be something like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

It lists all the permissions each User / Group on this computer has with regards to .

A description of one part of above command is as follows:

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)

It has the default owner, default group, and it has the Security descriptor control flags (A;;CCLCSWRPWPDTLOCRRC;;;SY):

ace_type - "A": ACCESS_ALLOWED_ACE_TYPE,
ace_flags - n/a,
rights - CCLCSWRPWPDTLOCRRC,  please refer to the Access Rights and Access Masks and Directory Services Access Rights
CC: ADS_RIGHT_DS_CREATE_CHILD - Create a child DS object.
LC: ADS_RIGHT_ACTRL_DS_LIST - Enumerate a DS object.
SW: ADS_RIGHT_DS_SELF - Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
RP: ADS_RIGHT_DS_READ_PROP - Read the properties of a DS object.
WP: ADS_RIGHT_DS_WRITE_PROP - Write properties for a DS object.
DT: ADS_RIGHT_DS_DELETE_TREE - Delete a tree of DS objects.
LO: ADS_RIGHT_DS_LIST_OBJECT - List a tree of DS objects.
CR: ADS_RIGHT_DS_CONTROL_ACCESS - Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.
RC: READ_CONTROL - The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). (This is a Standard Access Right, please read more http://msdn.microsoft.com/en-us/library/aa379607(VS.85).aspx)
object_guid - n/a,
inherit_object_guid - n/a,
account_sid - "SY": Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.

Now what we need to do is to set the appropriate permissions to Start/Stop Windows Services to the groups or users we want. In this case we need the current non-Admin user be able to Start/Stop the service so we are going to set the permissions to that user. To do that, we need the SID of that particular Windows User Account. To obtain it, open up the Registry (Start > regedit) and locate the following registry key.

LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Under that there is a seperate Key for each an every user account in this computer, and the key name is the SID of each account. SID are usually of the format S-1-5-21-2103278432-2794320136-1883075150-1000. Click on each Key, and you will see on the pane to the right a list of values for each Key. Locate "ProfileImagePath", and by it's value you can find the User Name that SID belongs to. For instance, if the user name of the account is SACH, then the value of "ProfileImagePath" will be something like "C:\Users\Sach". So note down the SID of the user account you want to set the permissions to.

Note2: Here a simple C# code sample which can be used to obtain a list of said Keys and it's values.

//LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList RegistryKey
RegistryKey profileList = Registry.LocalMachine.OpenSubKey(keyName);

//Get a list of SID corresponding to each account on the computer
string[] sidList = profileList.GetSubKeyNames();

foreach (string sid in sidList)
{
    //Based on above names, get 'Registry Keys' corresponding to each SID
    RegistryKey profile = Registry.LocalMachine.OpenSubKey(Path.Combine(keyName, sid));

    //SID
    string strSID = sid;
    //UserName which is represented by above SID    
    string strUserName = (string)profile.GetValue("ProfileImagePath");
}

Now that we have the SID of the user account we want to set the permissions to, let's get down to it. Let's assume the SID of the user account is S-1-5-21-2103278432-2794320136-1883075150-1000. Copy the output of the [sc sdshow ] command to a text editor. It will look like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Now, copy the (A;;CCLCSWRPWPDTLOCRRC;;;SY) part of the above text, and paste it just before the S:(AU;... part of the text. Then change that part to look like this: (A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)

Then add sc sdset at the front, and enclose the above part with quotes. Your final command should look something like the following:

sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Now execute this in your command prompt, and it should give the output as follows if successful:

[SC] SetServiceObjectSecurity SUCCESS

Now we're good to go! Your non-Admin user account has been granted permissions to Start/Stop your service! Try loggin in to the user account and Start/Stop the service and it should let you do that.

2. Access through IIS Method

In this case, we need to grant the permission to the IIS user "Network Services" instead of the logon Windows user account. The procedure is the same, only the parameters of the command will be changed. Since we set the permission to "Network Services", replace SID with the string "NS" in the final sdset command we used previously. The final command should look something like this:

sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Execute it in the command prompt from an Admin user account, and voila! You have the permission to Start / Stop the service from any user account (irrespective of whether it ia an Admin account or not) using a WebMethod. Refer to Note1 to find out how to do so.

Spree answered 15/12, 2010 at 6:12 Comment(12)

NOTE : ** You MUST copy the results of shshow command executed in your own machine and then edit according to what I have specified. **DO NOT just copy the code from here and execute on your computer as it is. – Spree 15/12, 2010 at 6:19

I haven't tried it yet, but assuming this works, this is going to save me a lot of time and head-aches at work! Thanks! – Deplorable 5/12, 2011 at 18:38

I tried this manual approach and it worked splendidly. But, if you're like me, and you need to do this on 20+ computers then you're going to want a program, or script to do this. You can use the Windows API calls QueryServiceObjectSecurity, and SetServiceObjectSecurity. MSDN has a full example for applying this to the "Guest" account – Deplorable 16/12, 2011 at 21:39

Big kudos! Worked like a charm. – Maunder 21/5, 2012 at 16:48

When you open a command prompt in option#1 you may need to do so with "Run as Administrator" option. Otherwise you may get an '[SC] OpenSCManager FAILED 5' error. – Hydrosome 25/1, 2014 at 3:9

In our case the output returned by sc sdshow <SERVICE_NAME> did not have a set of parenthesis prefixed by an S:. In this case you can just tack the newly created parenthesis set (the one containing the SID you looked up) on to the end of the sdshow output string. – Hydrosome 25/1, 2014 at 3:24

@Spree This is terrific and thank you. If i need to grant an account permission to modify the ACL, can I do that with this method? Do you know which of the permission codes you list corresponds to "modify ACL of this service"? Thanks again. – Leftwich 1/5, 2015 at 16:45

What would be the difference between running the sc sdshow command as a non-admin? – Gumwood 21/7, 2015 at 22:5

not to take away from the effort & care that went into this answer, I think some of the other answers offer a simpler and more direct solution. Unless I am missing some advantage of this? – Brominate 11/4, 2016 at 2:7

@Spike0xff, at the time I was trying to solve this problem there were no better answers. I had to figure out most of this by reading bits and pieces here and there, so I put together everything in this answer so others could benefit. Later on, other people have contributed with improved and simpler answers. – Spree 12/4, 2016 at 2:53

If you're doing this programatically and want to split up the output from sc sdshow you can use this regex to split up the components: (?:\D:)?\(.+?\) and then insert the new part with the SID as second-to-last. – Ronnaronnholm 21/6, 2018 at 10:34

I followed below steps and the command return successful also but I am still getting this error i.e., error 1053: the service did not respond to start or control request in a timely fashion – Geriatric 24/8, 2022 at 8:4

132

I use the SubInACL utility for this. For example, if I wanted to give the user job on the computer VMX001 the ability to start and stop the World Wide Web Publishing Service (also know as w3svc), I would issue the following command as an Administrator:

subinacl.exe /service w3svc /grant=VMX001\job=PTO

The permissions you can grant are defined as follows (list taken from here):

F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service 
U : Service User-Defined Control Commands

So, by specifying PTO, I am entitling the job user to Pause/Continue, Start, and Stop the w3svc service.

Edit: updated links to web.archive.org since the original MS links are dead.

Dittmer answered 17/9, 2013 at 17:43 Comment(7)

This is the best answer. It uses the right tool for the job without hacking around in the registry, translating SIDs, or depending on obscure ACL formatting. Provides all that is needed to get the job done quickly and easily with enough detail to extrapolate it to any reasonable scenario. – Calvities 11/7, 2014 at 15:33

Do I need to restart or logout/login when I use this? – Baccivorous 26/2, 2015 at 16:18

@DavidGrinberg I don't recall ever needing to have the affected account log off and then back on, or having to restart when only using subinacl as described here. – Dittmer 1/3, 2015 at 2:32

Can confirm that this works on 2012 server using sc \\server start|stop|query servicename from remote server. No restart\logoff needed – Scabby 17/10, 2016 at 13:45

This worked to start a service locally. However it crashed with CouldNotAccessDependentServices using remote powershell: Cannot access dependent services of '...'. Adding E : Enumerate Dependent Services to the ACL rights fixed that. – Intransigence 5/10, 2017 at 11:52

seems subinacl download link was taken down by MS. Supposedly can use icacls for the same functionality learn.microsoft.com/en-us/windows-server/administration/… – Geny 7/4, 2022 at 21:50

@Geny The link I provide is to the Wayback Machine where you can still download SubInAcl. I just tested it and it still works. Of course, that's not the official MS site, so exercise caution. – Dittmer 3/5, 2022 at 22:38

Login as an administrator.
Download subinacl.exe from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=23510
Grant permissions to the regular user account to manage the BST services.
^{(subinacl.exe is in C:\Program Files (x86)\Windows Resource Kits\Tools\).}
cd C:\Program Files (x86)\Windows Resource Kits\Tools\
subinacl /SERVICE \\MachineName\bst /GRANT=domainname.com\username=F or
subinacl /SERVICE \\MachineName\bst /GRANT=username=F
Logout and log back in as the user. They should now be able to launch the BST service.

Tumer answered 3/4, 2013 at 7:55 Comment(4)

Looks much easier and better than manually manipulating the configurations. – Electromechanical 5/6, 2013 at 10:32

Is the logout required? – Baccivorous 26/2, 2015 at 16:18

whoops! Failed... I got "Error OpenSCManager : The RPC server is unavailable. WARNING : /grant=mike=f : No previous object opened". The service I tried was MySQL. Reboot: access is denied, as ever. – Affine 14/3, 2016 at 21:29

Download link is now broken - 404 – Housman 16/4, 2021 at 9:27

There is a free GUI Tool ServiceSecurityEditor

Which allows you to edit Windows Service permissions. I have successfully used it to give a non-Administrator user the rights to start and stop a service.

I had used "sc sdset" before I knew about this tool.

ServiceSecurityEditor feels like cheating, it's that easy :)

Aegaeon answered 25/1, 2017 at 17:52 Comment(1)

I tried ServiceSecurityEditor based on this recommendation and it is excellent. – Landes 6/3, 2018 at 2:58

It's significantly easier to grant management permissions to a service using one of these tools:

Group Policy
Security Template
subinacl.exe command-line tool.

Here's the MSKB article with instructions for Windows Server 2008 / Windows 7, but the instructions are the same for 2000 and 2003.

Lordsandladies answered 20/1, 2012 at 22:31 Comment(0)

subinacl.exe command-line tool is probably the only viable and very easy to use from anything in this post. You cant use a GPO with non-system services and the other option is just way way way too complicated.

Smokechaser answered 31/5, 2016 at 8:50 Comment(0)

-2

Windows Service runs using a local system account.It can start automatically as the user logs into the system or it can be started manually.However, a windows service say BST can be run using a particular user account on the machine.This can be done as follows:start services.msc and go to the properties of your windows service,BST.From there you can give the login parameters of the required user.Service then runs with that user account and no other user can run that service.

Thevenot answered 14/12, 2010 at 7:18 Comment(1)

Thanks for the response Jack. However it is not what I want to do. I need my service BST to run as it does now. I only need any user who is not an Admin to be able to Stop/Start it. – Spree 14/12, 2010 at 7:50

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags