Platform SDK: Access Control

SetServiceObjectSecurity

The SetServiceObjectSecurity function sets the security descriptor of a service object.

Windows NT 4.0 and later: You can use the SetNamedSecurityInfo function.

BOOL SetServiceObjectSecurity(
  SC_HANDLE hService,                         // handle to service
  SECURITY_INFORMATION dwSecurityInformation, // components
  PSECURITY_DESCRIPTOR lpSecurityDescriptor   // SD
);

Parameters

hService
[in] Handle to the service. This handle is returned by the OpenService or CreateService function. The access required for this handle depends on the security information specified in the dwSecurityInformation parameter.
dwSecurityInformation
[in] Specifies the components of the security descriptor to set. This parameter can be a combination of the following values.
Value Meaning
DACL_SECURITY_INFORMATION Sets the object's discretionary access control list (DACL). The hService handle must have WRITE_DAC access, or the calling process must be the object's owner.
GROUP_SECURITY_INFORMATION Sets the object's primary group SID. The hService handle must have WRITE_OWNER access, or the calling process must be the object's owner.
OWNER_SECURITY_INFORMATION Sets the object's owner security identifier (SID). The hService handle must have WRITE_OWNER access, or the calling process must be the object's owner or have the SE_TAKE_OWNERSHIP_NAME privilege enabled.
SACL_SECURITY_INFORMATION Sets the object's system access control list (SACL). The hService handle must have ACCESS_SYSTEM_SECURITY access. The proper way to obtain this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

lpSecurityDescriptor
[in] Pointer to a SECURITY_DESCRIPTOR structure containing the new security information.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Errors

The following error codes can be set by the service control manager. Other error codes can be set by the registry functions that are called by the service control manager.

Value Meaning
ERROR_ACCESS_DENIED The specified handle was not opened with the required access, or the calling process is not the owner of the object.
ERROR_INVALID_HANDLE The specified handle is invalid.
ERROR_INVALID_PARAMETER The specified security information or security descriptor is invalid.
ERROR_SERVICE_MARKED_FOR_DELETE The specified service has been marked for deletion.

Remarks

The SetServiceObjectSecurity function sets the specified portions of the service object's security descriptor, based on the information specified in the lpSecurityDescriptor buffer. This function replaces any or all of the security information associated with the service object, according to the flags set in the dwSecurityInformation parameter and subject to the calling process's access rights.

When a service is created, the service control manager assigns a default security descriptor to the service object. To retrieve a copy of the security descriptor for a service object, call the QueryServiceObjectSecurity function. For a description of the default security descriptor for a service object, see Service Security.

Note that granting certain access to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possible allow them to run applications under the LocalSystem account.

Requirements

  Windows NT/2000: Requires Windows NT 3.1 or later.
  Header: Declared in Winsvc.h; include Windows.h.
  Library: Use Advapi32.lib.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Functions, CreateService, OpenService, QueryServiceObjectSecurity, SECURITY_DESCRIPTOR