[英]Programmatically grant local user rights to start a service with .Net
I want to implement an update service in my application (so users don't need admin rights to update my app once the service is installed, much like Google or Mozilla do their updates), and I think I found a good way to do this with WCF. 我想在我的应用程序中实现更新服务(因此,用户在安装该服务后就不需要管理员权限来更新我的应用程序,就像Google或Mozilla进行更新一样),我认为我找到了一种执行此操作的好方法与WCF。
I have a WCFServiceLibrary -Project which contains the ServiceContract and the core functionality (download/install updates) and a Windows Service-Project which implements the WCFServiceLibrary as a Windows Service. 我有一个WCFServiceLibrary -Project,其中包含ServiceContract和核心功能(下载/安装更新),还有一个Windows Service-Project ,该项目将WCFServiceLibrary实现为Windows Service。 Additionally, there is a Visual Studio Installer -Project which installs the service and my application, which should be able to start/stop/communicate with the service using NamedPipes. 此外,还有一个Visual Studio Installer -Project,用于安装服务和我的应用程序,该应用程序应该能够使用NamedPipes启动/停止/与服务通信。
The service is configured to start manually with the LocalSystem-Account. 该服务配置为使用LocalSystem-Account手动启动。 Now when the service is installed, I can start/stop it using services.msc (probably elevated), but not when I try it with net start Servicename (Error 5: Access denied) or with my application, which tells me that the local users probably don't have the permission to start/stop the service. 现在,当安装了服务时,我可以使用services.msc(可能已提升)启动/停止它,但是当我使用net start Servicename(错误5:访问被拒绝)或我的应用程序尝试它时,则不能启动/停止它,这告诉我本地用户可能没有启动/停止服务的权限。
I need the service to run with higher permissions in order to perform the installation of updates, so I would like to give local users permission to start my service either during the first installation of the service or when the service starts for the first time (since I can trigger that also during installation). 我需要该服务以更高的权限运行才能执行更新的安装,因此我想授予本地用户在服务的首次安装期间或服务首次启动时启动我的服务的权限(因为我也可以在安装过程中触发它。
However, how would I accomplish this with VB.NET (or C#)? 但是,如何用VB.NET(或C#)完成此操作? I found some examples using API-Calls of advapi32.dll, but it didn't looks like the permission can be changed with this. 我发现了一些使用advapi32.dll的API调用的示例,但似乎无法使用此权限来更改权限。
So, long story short, heres a summary of what I'm looking for: 因此,长话短说,以下是我所寻找的摘要:
There are already different similar questions here, but none did give a clear answer to this problem. 这里已经存在不同的类似问题,但是没有一个问题能给出明确的答案。 One user probably did it using the WiX-Installer, but I would like to keep the Visual Studio Installer Project since it's pretty straight forward and easy to use. 一个用户可能是使用WiX-Installer来完成的,但是我想保留Visual Studio Installer项目,因为它非常简单易用。
After a bit more of googling and trying to find a "clean" solution, I've given up and using now Process.Start
to execute sc.exe and set new Permissions after Installation. 经过更多的谷歌搜索并尝试找到一种“干净”的解决方案之后,我放弃了,现在使用Process.Start
执行sc.exe并在安装后设置新的权限。
Here's my ServiceInstaller-Class, for anyone curious: 这是我的ServiceInstaller-Class,适合所有好奇的人:
[VB.NET] [VB.NET]
Imports System.ComponentModel
Imports System.Configuration.Install
Imports System.ServiceProcess
<RunInstaller(True)>
Public Class SvcInstaller
Inherits Installer
Dim svcprocinst As ServiceProcessInstaller
Dim svcinst As ServiceInstaller
Public Sub New()
svcprocinst = New ServiceProcessInstaller
svcprocinst.Account = ServiceAccount.LocalSystem
svcinst = New ServiceInstaller
svcinst.ServiceName = "KrahMickeySvc"
svcinst.DisplayName = "Mickey-Service"
svcinst.Description = "This Service is used by KRAH Mickey for application updates and maintenance"
Installers.Add(svcprocinst)
Installers.Add(svcinst)
End Sub
Private Sub SvcInstaller_AfterInstall(sender As Object, e As InstallEventArgs) Handles Me.AfterInstall
'Set new permissions acc. to Security Descriptor Definition Language (SDDL)
'Source: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
'Keeping the source DACL and just adding RP,WP and DT (Start/Stop/PauseContinue) to IU (Interactive User)
Dim DACLString As String = "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWPDT;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
process.Start("sc.exe", $"sdset {svcinst.ServiceName} ""{DACLString}""")
End Sub
End Class
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.