Reputation: 330
QueryServiceObjectSecurity fails with access denied error
QueryServiceObjectSecurity call is failing with access denied error, i am not quite able to figure out why. I create service and then try to update the permissions for it. Interestingly once the call fails service is created and if i reexecute code, it detects existing service and attaches handle and then this call works fine, then why it fails for the first time? I am new to windows services, is there like during first time execution, service is created but SCM db is not updated before i query object security?
Code snippet is below
Service creation:
managerHandle.Attach(::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS));
serviceHandle.Attach(::CreateService(managerHandle, serviceName, serviceDisplayName,
SERVICE_CHANGE_CONFIG | SERVICE_START | SERVICE_QUERY_STATUS | SERVICE_INTERROGATE,
serviceType, startCode, errorControl, path,
groupName, NULL, NULL, NULL, NULL));
::ChangeServiceConfig2(m_serviceHandle, SERVICE_CONFIG_DESCRIPTION, &serviceDesc);
service.Detach();
now after this i call function which updates the dacl for the service
ENSURE_STATE(!!m_serviceHandle)
CAutoPtr<PSECURITY_DESCRIPTOR *> pSecurityDescriptor;
DWORD bytesNeeded = 0;
if(::QueryServiceObjectSecurity(serviceHandle, DACL_SECURITY_INFORMATION, &pSecurityDescriptor, 0, &bytesNeeded) == FALSE)
{
Any help greatly appreciated
Upvotes: 0
Views: 489
Answers (2)
Reputation: 36348
The access rights for system services are described in the MSDN article Service Security and Access Rights.
The relevant right is
READ_CONTROL Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
The call to CreateService returns a handle with the access rights indicated by the dwDesiredAccess parameter, which you've set to
SERVICE_CHANGE_CONFIG |
SERVICE_START |
SERVICE_QUERY_STATUS |
SERVICE_INTERROGATE
That gives the handle the right to change the service configuration, to start the service, query the service's status and interrogate the service - but not the right to query the security descriptor.
Add READ_CONTROL to dwDesiredAccess and the problem will go away. Better still, set dwDesiredAccess to SERVICE_ALL_ACCESS.
Upvotes: 1
Reputation: 16904
The documentation for Service Security and Access Rights explains that the access right READ_CONTROL is required to call QueryServiceObjectSecurity.
In the call to CreateService add READ_CONTROL to the list of access rights you request for the handle.
Upvotes: 1
Related Questions
- Error 5 : Access Denied when starting windows service
- Access Denied when running Windows Service
- PrivilegeNotHeldException when privilege is given
- Starting Windows Service with Domain User Gives: Error 5: Access is Denied
- Cryptic "Access is Denied" exception from WCF service
- Windows service throws "System.ComponentModel.Win32Exception: Access is denied" when starting
- C#: Simple Windows Service gives Security Exception
- CreateProcessWithLogon in service returning code 5: access denied
- Windows Service - UnauthorizedAccessException
- Windows Services query