Windows XPE服务安装-如何在CreateService时设置安全性?
我正在使用 CreateService 在 Windows XPE 上安装 Windows 服务。我想进行设置,以便只有管理员才能启动/停止/暂停/恢复服务。
现在,我正在使用以下内容来安装该服务:
schService = CreateService(schSCManager,
ServiceName,
ServiceDisplayName, // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
binaryPathName, // service's binary (this program)
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
该服务最终具有安全性,以便 PowerUsers 组的成员可以启动和停止该服务。我发现我可以使用 sc sdshow 来检查安全描述符,并且我已经制定了一条 SDDL 行来为我们做正确的事情。
我还了解到,我们的 Win XPE 安装上没有 sc.exe 二进制文件,因此我们无法真正使用它来设置这个特定的系统。
所以,我需要知道的是:我需要使用哪些 API 来在我执行 CreateService 调用时设置此服务的安全描述符。我对 Windows 安全 API 完全不熟悉,所以我不知道从哪里开始。
更新:答案是 SetServiceObjectSecurity(如下)。下一个问题:设置 SecurityDescriptor 的最佳方法是什么?是否最好获取默认描述符,然后修改它?或者我应该创建一个全新的描述符?
I'm using CreateService to install a windows service on Windows XPE. I'd like to set things up so that only the Administrator can start/stop/pause/resume the service.
Right now I'm using the following to install the service:
schService = CreateService(schSCManager,
ServiceName,
ServiceDisplayName, // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
binaryPathName, // service's binary (this program)
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
And the service ends up with security such that members of the PowerUsers group can start and stop the service. I've figured out that I can use sc sdshow to examine the security descriptor, and I've worked out an SDDL line that would do the right thing for us.
I've also learned that our Win XPE install doesn't have the sc.exe binary on it, so we can't really use that to setup this particular system.
So, what I need to know is: What are the APIs I need to use, to set the security descriptor on this service around the time I do the CreateService call. I'm completely unfamiliar with the Windows security APIs, so I just don't know where to start.
UPDATE: The answer is SetServiceObjectSecurity (below). Next question: What's the best way to setup the SecurityDescriptor? Is it best to get the default descriptor, then modify it? Or should I just create a completely new descriptor?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不太熟悉 Windows XP Embedded,但通常您在使用 SetServiceObjectSecurity 函数。使用从 CreateService 获得的句柄并构建与您想要的匹配的安全描述符。
I'm not really familiar with Windows XP Embedded, but normally you would achieve what you are after using the SetServiceObjectSecurity function. Use the handle you get from CreateService and build a security descriptor that matches what you want.