A customer was developing a service, and they didn’t want users to be able to change the service’s startup type (e.g. change it from auto-start to disabled). They saw that other services had the “Startup type” field disabled. How can they get in on that action? They found that that they could get close to the desired behavior by restricting the ACLs on the service registry key. That doesn’t disable the startup type combo box in the UI, but it did mean that when the user tried to change the setting, they got an error message.
There is no need to do any undocumented hacking to get the desired effect. It’s all right there in front of you.
To prevent users from being able to change the startup type, don’t grant them SERVICE_ access to the service. The “Startup type” combo box disables itself if the user does not have permission to change the service configuration.
Use the SetServiceObjectSecurity function to change the access control list for a service. There is a sample program in the documentation: Modifying the DACL for a Service.
Similarly, you can control who can start and stop the service by adjusting who gets SERVICE_, SERVICE_, and SERVICE_ access to the service.
Bonus chatter: For every immovable object, there is a more motivated unstoppable force: My friends over in support tell me that they sometimes get cases where they discover that a system-provided service has been configured in some way that shouldn’t be possible, given that the option is disabled in the UI. Upon closer questioning, the customer explains, “Yeah, it was disabled in the UI, so we had to do ⟦really extreme thing⟧ to get that service reconfigured the way we want it.”
This is like driving up to a bridge, seeing a “Bridge out of order” sign, then getting out of your car, moving the sign, driving onto the bridge, falling into the river, and then complaining to the car manufacturer that their car doesn’t work.
I got confused when I discovered permissions on the registry key weren't equivalent to permissions on the service. The permissions have to persist somewhere.
I have had to toggle down services that couldn't be disabled normally. My go-to method is deny-execute permissions on the binary to everyone. Most of the time this is a temporary measure.
In related news, we had a customer who disabled the ability for non-Administrators to add keys to the machine certificate store. After discussing it internally, we decided the ability for non-admin users to add keys to the machine certificate store is *nuts* and certainly leads to...
Edit: This is re Levicki’s top-level comment. Can someone fix the commenting system?
Maybe, just maybe. The customer is developing an in-house service, and the computer is the company’s, and the policy is for non-IT employees to not disable the service on their assigned machines?
Also, it’s impossible to prevent a local administrator to disable a service, because the local administrator can grant itself permission and privilege. So if this really is “your” PC, then you can disable whatever service.
Both the question and the answer perfectly showcase the sheer arrogance of both 3rd party and Microsoft developers nowadays.
Let me tell you something Raymond, and please feel free to pass it on to those who ask questions to the tune of "how do I prevent user from doing X" -- anyone doing so and their enablers should rot in hell. The PC is MINE, not yours -- your crappy software is a GUEST in MY HOUSE. If I am the admin, then I should be able to stop ANY service if I want to stop it.
Would you be ok with...
Strange... To the question "How do you prevent a user to stop my super important service?", I would have expected a Raymond-answer like "why on Earth would you want to do that?".
For every vendor who believes their service code is so important that it cannot be prevented from running, there is at least one devops who has encountered a problem that was solved by disabling, stopping or restarting that same service.
I do agree that there are processes that are absolutely required for Windows to run (such as Logon) but no printer vendor has ever written such code in a service....
Good points.
I'd just add that we live in an era of self-importance -- almost every young person has been brought up to be selfish and we see that in corporate culture of today. Every company thinks their product must have an icon on desktop, icon on taskbar, icon in system tray (even if it doesn't allow for any quick access/settings), at least 2 update services running at all times if not more, execute itself on startup, and update itself at the most unfortunate moment possibly destroying your work as it demands a restart even if it shouldn't need one.
Windows usage...
> “I’d just add that we live in an era of self-importance — almost every young person has been brought up to be selfish”
You had some good points around here (albeit, conveyed in an exceedingly crude way) up until this inanity. Now, I have to see an ophthalmologist to unroll my eyes.
So true, the last paragraph. This kind of behavior is a huge support case generator – people break something on their own to then blame the MS. Life’s tough.