A customer was developing a service, and they didn’t want users to be able to change the service’s startup type (e.g. change it from auto-start to disabled). They saw that other services had the “Startup type” field disabled. How can they get in on that action? They found that that they could get close to the desired behavior by restricting the ACLs on the service registry key. That doesn’t disable the startup type combo box in the UI, but it did mean that when the user tried to change the setting, they got an error message.

There is no need to do any undocumented hacking to get the desired effect. It’s all right there in front of you.

To prevent users from being able to change the startup type, don’t grant them SERVICE_CHANGE_CONFIG access to the service. The “Startup type” combo box disables itself if the user does not have permission to change the service configuration.

Use the Set­Service­Object­Security function to change the access control list for a service. There is a sample program in the documentation: Modifying the DACL for a Service.

Similarly, you can control who can start and stop the service by adjusting who gets SERVICE_START, SERVICE_STOP, and SERVICE_PAUSE_CONTINUE access to the service.

Bonus chatter: For every immovable object, there is a more motivated unstoppable force: My friends over in support tell me that they sometimes get cases where they discover that a system-provided service has been configured in some way that shouldn’t be possible, given that the option is disabled in the UI. Upon closer questioning, the customer explains, “Yeah, it was disabled in the UI, so we had to do ⟦really extreme thing⟧ to get that service reconfigured the way we want it.”

This is like driving up to a bridge, seeing a “Bridge out of order” sign, then getting out of your car, moving the sign, driving onto the bridge, falling into the river, and then complaining to the car manufacturer that their car doesn’t work.