INFO: Access to the Service Control Manager

ID: Q179249

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API), used with:
- Microsoft Windows NT versions 3.51, 4.0
- Microsoft Windows 2000

SUMMARY

Unlike other securable objects, the Security Descriptor for the Service Control Manager (SCM) cannot be modified. This means that the Discretionary Access Control List (DACL) associated with the SCM cannot be changed.

MORE INFORMATION

A Security Descriptor is associated with the SCM. The DACL associated with the SCM identifies the users and groups allowed or denied access to it. When attempting to obtain a handle to the SCM, Windows NT Security determines whether or not the process has the requested access. The OpenSCManager API is used to obtain a handle to the SCM. If the user is granted the requested access to the SCM, the system returns a valid handle. If the request is denied, the error code 5 is returned, or "Access is denied."

The DACL associated with the SCM is outlined in the following table:


     User or Group                Access granted
   -----------------------------------------------------------------
   - The Everyone Group           SC_MANAGER_CONNECT               -
   -                              GENERIC_READ                     -
   -----------------------------------------------------------------
   - LocalSystem                  SC_MANAGER_CONNECT               -
   -                              GENERIC_READ                     -
   -                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
   -----------------------------------------------------------------
   - The Administrators Group     GENERIC_ALL                      -
   -----------------------------------------------------------------

The generic access rights for the Service Control Manager are outlined in the table below:


     GENERIC                      Specific Access
   -----------------------------------------------------------------
   - GENERIC_READ                 STANDARD_RIGHTS_READ             -
   -                              SC_MANAGER_ENUMERATE             -
   -                              SC_MANAGER_QUERY_LOCK_STATUS     -
   -----------------------------------------------------------------
   - GENERIC_WRITE                STANDARD_RIGHTS_WRITE            -
   -                              SC_MANAGER_CREATE_SERVICE        -
   -                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
   -----------------------------------------------------------------
   - GENERIC_EXECUTE              STANDARD_RIGHTS_EXECUTE          -
   -                              SC_MANAGER_CONNECT               -
   -                              SC_MANAGER_LOCK                  -
   -----------------------------------------------------------------
   - GENERIC_ALL                  SC_MANAGER_ALL_ACCESS            -
   -----------------------------------------------------------------

Additional query words:

Keywords : kbAccCtrl kbAPI kbKernBase kbNTOS351 kbNTOS400 kbWinOS2000 kbSCM kbSecurity kbService kbDSupport kbGrpKernBase
Version : winnt:3.51,4.0
Platform : winnt
Issue type : kbinfo