SetServiceObjectSecurity

The SetServiceObjectSecurity function sets the security descriptor of a service object. 

BOOL SetServiceObjectSecurity(
  SC_HANDLE hService,  // handle of service
  SECURITY_INFORMATION dwSecurityInformation,
                       // type of security information requested
  PSECURITY_DESCRIPTOR lpSecurityDescriptor 
                       // address of security descriptor
);

Parameters

hService
Identifies the service. This handle is returned by the OpenService or CreateService function. The access required for this handle depends on the security information specified in the dwSecurityInformation parameter.
dwSecurityInformation
Specifies the components of the security descriptor to set. The value can be a combination of the following flags.
Value Meaning
OWNER_SECURITY_INFORMATION
Sets the object's owner security identifier (SID). The hService handle must have WRITE_OWNER access, or the calling process must be the object's owner or have the SE_TAKE_OWNERSHIP_NAME privilege enabled.
GROUP_SECURITY_INFORMATION
Sets the object's primary group SID. The hService handle must have WRITE_OWNER access, or the calling process must be the object's owner.
DACL_SECURITY_INFORMATION
Sets the object's discretionary access control list (DACL). The hService handle must have WRITE_DAC access, or the calling process must be the object's owner.
SACL_SECURITY_INFORMATION
Sets the object's system access control list (SACL). The hService handle must have ACCESS_SYSTEM_SECURITY access. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

lpSecurityDescriptor
Points to a SECURITY_DESCRIPTOR structure containing the new security information.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Errors

The following error codes can be set by the service control manager. Other error codes can be set by the registry functions that are called by the service control manager.

Value Meaning
ERROR_ACCESS_DENIED
The specified handle was not opened with the required access, or the calling process is not the owner of the object.
ERROR_INVALID_HANDLE
The specified handle is invalid.
ERROR_INVALID_PARAMETER
The specified security information or security descriptor is invalid.
ERROR_SERVICE_MARKED_FOR_DELETE
The specified service has been marked for deletion.

Remarks

The SetServiceObjectSecurity function sets the specified portions of the service object's security descriptor, based on the information specified in the lpSecurityDescriptor buffer. This function replaces any or all of the security information associated with the service object, according to the flags set in the dwSecurityInformation parameter and subject to the calling process's access rights.

The initial security descriptor of a service object is created by the service control manager, based on the security descriptor of the process that called the CreateService function to create the service. You can change the security descriptor by calling the SetServiceObjectSecurity function.

QuickInfo

  Windows NT: Requires version 3.1 or later.
  Windows: Unsupported.
  Windows CE: Unsupported.
  Header: Declared in winsvc.h.
  Import Library: Use advapi32.lib.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Functions, CreateService, OpenService, QueryServiceObjectSecurity, SECURITY_DESCRIPTOR