Re: Browsing host services

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


<bk> wrote in message news:ePvwMrgnFHA.2444@xxxxxxxxxxxxxxxxxxxxxxx
>
> "Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message
> news:%23jxAgybnFHA.2904@xxxxxxxxxxxxxxxxxxxxxxx
>>
>> "r" <razgrp@xxxxxxxxx> wrote in message
>> news:1123683024.045872.81400@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>> Hi,
>>> I would like to create a dialog that shows all services in the
>>> computer, much like services option in the control panel.
>>> How can I traverse all services on the computer?
>>> Thanks in advance
>>>
>>
>> Use the System.Management namespace classes and WMI for these kind of
>> management tasks....
>
> My problem with WMI is that not all functionality seems to match the
> WinAPI for the same task,
>
> Take for example changing the user that a service runs under (error
> checking removed):
>
> public static void ChangeUser(string name, string userName, string
> password) {
> ManagementObject service = new ManagementObject("Win32_Service=" + "\""
> + name + "\"");
> ManagementBaseObject parameters =
> service.GetMethodParameters("Change");
> parameters["StartName"] = userName;
> parameters["StartPassword"] = password;
> service.InvokeMethod("Change", parameters, null);
> }
>
> This works as you would expect but what it doesn't do which the WinAPI
> function does do is give the user the "Logon as a Service" right, which
> means you have to resort to other api's


Well that's exactly the kind of "convenience" which I don't like when using
the SC API's and the ServiceProcessInstaller class, why?
1. An account will automatically receive the "SeInteractiveLogonRight"
privilege when the service is installed, but it won't (and it can't) be
removed when the service is uninstalled. In a test environment you might end
with a bunch of accounts that are granted this privilege without any good
reason....
2. User privilege management and application management are separate tasks,
that means that you should configure your service accounts before you
install your application(s) aka. service(s). Service accounts should have
restricted privileges anyway, so picking an arbitrary user account to run as
a service is not good security practice anyway.

Note also that "User privilege management" is possible using
System.Management through the RSOP WMI namespace (XP and higher).

Willy.




.

Relevant Pages

  • Re: Users, Groups & Built-in Security Principles
    ... Microsoft MVP (Windows Server System: ... > Help Services Group ... The three I exempted are accounts ... allow the names to be deleted from the list and I cant see how to, using WMI ...
    (microsoft.public.windowsxp.security_admin)
  • Re: WMI Win32_UserAccount query
    ... I want to query all of the accounts, ... If I log onto this machine as the domain administrator and using WMI ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Scripting SMS Site settings (again)
    ... managing accounts through SDK and WMI. ... > I've read the SMS SDK documentation and the OPS guide but haven't> found what I'm looking for. ... > Most site settings are configurable by manipulating the embedded> properties - this I now know how to do with WMI and VBscript. ... > However the 'Connection Accounts' site settings doesn't seem to be> accessible any other way than through the Admin Console! ...
    (microsoft.public.sms.admin)