堆栈内存溢出
  简体   繁体   English

以本地系统权限运行的 Windows 服务,想要从以本地用户权限运行的 Windows 服务创建子进程

[英]Windows Service running with Local System rights, wants to create child processes from windows service which will running with Local User rights

 原文  2020-11-02 05:18:22       windows-services/ child-process/ local-system-account

问题描述

I am working on windows service application where currently it is running on administrator privileges.我正在开发 Windows 服务应用程序,目前它以管理员权限运行。 For that I need to set administrator info in service log on settings.为此,我需要在服务登录设置中设置管理员信息。 Above windows service is creating child processes with local user privileges.以上 Windows 服务正在创建具有本地用户权限的子进程。 This is working fine.这工作正常。

Now I want to change windows service application to run with "Local System" privileges instead of administrator.现在我想更改 Windows 服务应用程序以使用“本地系统”权限而不是管理员权限运行。 But if I change the log on setting to "Local System" then, Child processes are not starting and throws exception "access denied".但是,如果我将登录设置更改为“本地系统”,则子进程不会启动并引发异常“访问被拒绝”。

I think that "local system" account has all permission to do anything.我认为“本地系统”帐户拥有做任何事情的所有权限。 It is even stronger than administrator account.它甚至比管理员帐户更强大。 Then why it cannot start child processes?那为什么不能启动子进程呢?

Please guide me if my perception is wrong如果我的看法是错误的,请指导我

1 个解决方案

解决方案1
 0  2020-11-02 05:40:53

Local System certainly DOES NOT have "all permission to do anything".本地系统当然没有“做任何事情的所有权限”。 That would mean that if someone managed to get INTO that process.. they could really run amok on the system.这意味着,如果有人设法进入该过程......他们真的可以在系统上运行。

Group Policy Editor will show you EXACTLY who can do what so you don't need to guess your way through.组策略编辑器将准确地向您显示谁可以做什么,因此您无需猜测通过的方式。

  1. Open GPEDIT.MSC打开 GPEDIT.MSC
  2. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment导航到Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
  3. On the right hand side, Look for Obtain an impersonation token for another user in the same session.在右侧,查找为Obtain an impersonation token for another user in the same session.

在此处输入图片说明

I am not 100% sure that this is the setting you need (I haven't tried it) but I THINK it is.我不是 100% 确定这是您需要的设置(我还没有尝试过),但我认为是。 Even if it isn't, browse around this section of group policy to see who can do what.即使不是,也请浏览组策略的这一部分,看看谁可以做什么。 Clearly the setting you want won't have "Local System" on the list ;)显然,您想要的设置不会在列表中包含“本地系统”;)

I hope this helps.我希望这有帮助。 :) GOOD LUCK! :) 祝你好运!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何获取以用户身份运行的Windows 7应用程序的MainWindowHandle <foo> 从作为本地系统运行的服务中? - How can I get the MainWindowHandle of a Windows 7 application running as user <foo> from within a service running as Local System? 在没有用户权限的情况下从 Windows 服务写入文件? - Write to file from Windows Service without user rights? 在本地系统下运行的Windows服务能否在其运行的计算机上创建新文件? - Can a Windows service running under Local System create new files on the computer it is running on? 在作为本地系统运行的 windows 服务中进行键盘和鼠标操作? - Making keyboard and mouse operations in a windows service running as a local system? 将Windows服务作为“本地系统”运行有哪些安全风险? - What are the security risks in running a Windows Service as “Local System”? 通过在本地配置文件下运行服务,从Windows服务获取用户appdata路径 - Get user appdata path from windows service by running service under local profile 以本地系统运行的Windows服务无法以交互用户身份启动Com Server - Windows Service running as Local System unable to launch Com Server as Interactive User 从服务运行msiexec(本地系统帐户) - Running msiexec from a service (Local System account) 当将父子进程作为Windows Service运行时,重定向IO - Redirect IO when running parent-child processes as Windows Service 如何授予服务用户足够的权限在Windows 7中创建注册表项 - How do I grant a service user sufficient rights to create registry keys in windows 7
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM