INFO: Access to the Service Control Manager

Last reviewed: January 13, 1998
Article ID: Q179249
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) included with: - Microsoft Windows NT versions 3.51, 4.0

SUMMARY

Unlike other securable objects, the Security Descriptor for the Service Control Manager (SCM) cannot be modified. This means that the Discretionary Access Control List (DACL) associated with the SCM cannot be changed.

MORE INFORMATION

A Security Descriptor is associated with the SCM. The DACL associated with the SCM identifies the users and groups allowed or denied access to it. When attempting to obtain a handle to the SCM, Windows NT Security determines whether or not the process has the requested access. The OpenSCManager API is used to obtain a handle to the SCM. If the user is granted the requested access to the SCM, the system returns a valid handle. If the request is denied, the error code 5 is returned, or "Access is denied."

The DACL associated with the SCM is outlined in the following table:

       User or Group                Access granted
     -----------------------------------------------------------------
     - The Everyone Group           SC_MANAGER_CONNECT               -
     -                              GENERIC_READ                     -
     -----------------------------------------------------------------
     - LocalSystem                  SC_MANAGER_CONNECT               -
     -                              GENERIC_READ                     -
     -                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
     -----------------------------------------------------------------
     - The Administrators Group     GENERIC_ALL                      -
     -----------------------------------------------------------------

The generic access rights for the Service Control Manager are outlined below.

       GENERIC                      Specific Access
     -----------------------------------------------------------------
     - GENERIC_READ                 STANDARD_RIGHTS_READ             -
     -                              SC_MANAGER_ENUMERATE             -
     -                              SC_MANAGER_QUERY_LOCK_STATUS     -
     -----------------------------------------------------------------
     - GENERIC_WRITE                STANDARD_RIGHTS_WRITE            -
     -                              SC_MANAGER_CREATE_SERVICE        -
     -                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
     -----------------------------------------------------------------
     - GENERIC_EXECUTE              STANDARD_RIGHTS_EXECUTE          -
     -                              SC_MANAGER_CONNECT               -
     -                              SC_MANAGER_LOCK                  -
     -----------------------------------------------------------------
     - GENERIC_ALL                  SC_MANAGER_ALL_ACCESS            -
     -----------------------------------------------------------------

Keywords          : BseSecurity BseService
Version           : WINNT:3.51,4.0
Platform          : winnt
Issue type        : kbinfo


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: January 13, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.