January 23rd, 2017

How do I prevent users from terminating a service?

A customer asked (via their customer liaison), “We wrote in-house Windows service that is set to auto-start when the user logs in. How can we prevent the user from terminating it in Task Manager, or at least have the service auto-restart if it is terminated?”

Services have access control lists. If you don’t want a service to let users terminate it, then set the access control on the service so that users don’t have the permissions you don’t like, and have the service run under an account that users don’t have access to. You can change the access control list the command line way or the fancy GUI way. I’m sure there are corresponding commands and GUI dialogs for changing the account the service runs under; I’ll leave you to find them.

From a technical side, a service can prevent itself from being stopped by simply ignoring the Stop notification, although a service that did that is basically making itself harder to be managed. And as for restarting after termination, there are a variety of options available on the Recovery tab in the Services MMC snap-in.

But we were rather baffled by this question, however, because the default security settings for services do not let unprivileged users start and stop them, and they run under accounts that normal users do not have access to. Normally, the only users who can stop or terminate services are administrators. And you can’t defend yourself from administrators because they are already on the other side of the airtight hatchway: Any setting you set to thwart the adminitrator, the administrator can simply reset.

The customer liaison clarified that the customer wanted to prevent both normal users and administrative users from terminating the service. If administrators cannot be blocked, they will inform the customer of that.

So let’s say it again: You can’t stop administrators from doing things to the local computer, because they are administrators. As I noted, administrators are already on the other side of the airtight hatchway.

If you are interested only in preventing standard users from stopping or terminating a service, then the usual service permissions should do the trick.

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.