Platform SDK: Access Control |
The SetServiceObjectSecurity function sets the security descriptor of a service object.
Windows NT 4.0 and later: You can use the SetNamedSecurityInfo function.
BOOL SetServiceObjectSecurity( SC_HANDLE hService, // handle to service SECURITY_INFORMATION dwSecurityInformation, // components PSECURITY_DESCRIPTOR lpSecurityDescriptor // SD );
Value | Meaning |
---|---|
DACL_SECURITY_INFORMATION | Sets the object's discretionary access control list (DACL). The hService handle must have WRITE_DAC access, or the calling process must be the object's owner. |
GROUP_SECURITY_INFORMATION | Sets the object's primary group SID. The hService handle must have WRITE_OWNER access, or the calling process must be the object's owner. |
OWNER_SECURITY_INFORMATION | Sets the object's owner security identifier (SID). The hService handle must have WRITE_OWNER access, or the calling process must be the object's owner or have the SE_TAKE_OWNERSHIP_NAME privilege enabled. |
SACL_SECURITY_INFORMATION | Sets the object's system access control list (SACL). The hService handle must have ACCESS_SYSTEM_SECURITY access. The proper way to obtain this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege. |
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The following error codes can be set by the service control manager. Other error codes can be set by the registry functions that are called by the service control manager.
Value | Meaning |
---|---|
ERROR_ACCESS_DENIED | The specified handle was not opened with the required access, or the calling process is not the owner of the object. |
ERROR_INVALID_HANDLE | The specified handle is invalid. |
ERROR_INVALID_PARAMETER | The specified security information or security descriptor is invalid. |
ERROR_SERVICE_MARKED_FOR_DELETE | The specified service has been marked for deletion. |
The SetServiceObjectSecurity function sets the specified portions of the service object's security descriptor, based on the information specified in the lpSecurityDescriptor buffer. This function replaces any or all of the security information associated with the service object, according to the flags set in the dwSecurityInformation parameter and subject to the calling process's access rights.
When a service is created, the service control manager assigns a default security descriptor to the service object. To retrieve a copy of the security descriptor for a service object, call the QueryServiceObjectSecurity function. For a description of the default security descriptor for a service object, see Service Security.
Note that granting certain access to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possible allow them to run applications under the LocalSystem account.
Windows NT/2000: Requires Windows NT 3.1 or later.
Header: Declared in Winsvc.h; include Windows.h.
Library: Use Advapi32.lib.
Low-Level Access-Control Overview, Low-Level Access Control Functions, CreateService, OpenService, QueryServiceObjectSecurity, SECURITY_DESCRIPTOR