INFO: Access to the Service Control Manager
ID: Q179249
|
The information in this article applies to:
-
Microsoft Win32 Application Programming Interface (API), used with:
-
Microsoft Windows NT versions 3.51, 4.0
-
Microsoft Windows 2000
SUMMARY
Unlike other securable objects, the Security Descriptor for the Service
Control Manager (SCM) cannot be modified. This means that the Discretionary
Access Control List (DACL) associated with the SCM cannot be changed.
MORE INFORMATION
A Security Descriptor is associated with the SCM. The DACL associated with
the SCM identifies the users and groups allowed or denied access to it.
When attempting to obtain a handle to the SCM, Windows NT Security
determines whether or not the process has the requested access. The
OpenSCManager API is used to obtain a handle to the SCM. If the user is
granted the requested access to the SCM, the system returns a valid handle.
If the request is denied, the error code 5 is returned, or "Access is
denied."
The DACL associated with the SCM is outlined in the following table:
User or Group Access granted
-----------------------------------------------------------------
- The Everyone Group SC_MANAGER_CONNECT -
- GENERIC_READ -
-----------------------------------------------------------------
- LocalSystem SC_MANAGER_CONNECT -
- GENERIC_READ -
- SC_MANAGER_MODIFY_BOOT_CONFIG -
-----------------------------------------------------------------
- The Administrators Group GENERIC_ALL -
-----------------------------------------------------------------
The generic access rights for the Service Control Manager are outlined in
the table below:
GENERIC Specific Access
-----------------------------------------------------------------
- GENERIC_READ STANDARD_RIGHTS_READ -
- SC_MANAGER_ENUMERATE -
- SC_MANAGER_QUERY_LOCK_STATUS -
-----------------------------------------------------------------
- GENERIC_WRITE STANDARD_RIGHTS_WRITE -
- SC_MANAGER_CREATE_SERVICE -
- SC_MANAGER_MODIFY_BOOT_CONFIG -
-----------------------------------------------------------------
- GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE -
- SC_MANAGER_CONNECT -
- SC_MANAGER_LOCK -
-----------------------------------------------------------------
- GENERIC_ALL SC_MANAGER_ALL_ACCESS -
-----------------------------------------------------------------
Additional query words:
Keywords : kbAccCtrl kbAPI kbKernBase kbNTOS351 kbNTOS400 kbWinOS2000 kbSCM kbSecurity kbService kbDSupport kbGrpKernBase
Version : winnt:3.51,4.0
Platform : winnt
Issue type : kbinfo