Allow Low-Privileged Users to Start Windows Services

Question

I want to deploy a C++ application that will run in enterprises where users have low privileges on their machines, so they can't run as admin or do tasks that require admin privileges.

The service I want can be run as Local Service, which is a low privilege account in Windows, so how can I , programmaticaly, let my application which is run with the context of the low privilege user start a Windows service that can be run as Local Service?

Will it require impersonation, and will the low privileged users be able to temporarily impersonate the Local Service account to run the service?

I heard that even if the specific service can be run as Local Service, I would still not be able to start it without admin powers because the Service Control Manager (SCM) would still require admin privileges?

EDIT: I should note that the service is installed by default in Windows (smart card service), I just want to start it.

Answer 1

This is simply not possible; standard users don't have the necessary privileges to do this. By default, only members of the Administrators and Power Users group can start, stop, and pause services.

This is a problem best solved by group policies, rather than by software. Ask about that on Server Fault.

Answer 2

As you'll require administrator privileges to install this service either way, you could install a second auto-start service which has the single purpose of accepting requests from your application to start/stop the real service.