Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

‘Allow service to interact with desktop’ option not available when configuring windows service with an account other than local system

Why the option ‘Allow service to interact with desktop’ is only available for Local System account and not for any other account while configuring a windows service from control panel? I want to configure the windows service so as to allow interaction with desktop irrespective of the account it is configured to run with. How to achieve it?

like image 476
Anand Patel Avatar asked May 13 '11 10:05

Anand Patel


People also ask

What does it mean allow service to interact with desktop?

If you allow the service to interact with the desktop, any information that the service displays on the desktop will also be displayed on an interactive user's desktop. A malicious user could then take control of the service or attack it from the interactive desktop."

How do I give permission to Windows services?

To configure permissions for a new user or group, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for, and then click OK. In the Permissions for User or Group list, configure the permissions that you want for the user or group.

How do I grant rights to manage services in Windows 10?

Method 1: (applies to local users) 2, Navigate to the Computer Configuration, Windows Settings, Security Settings, System Services. 3, Double-click the service for which you want to delegate permissions (e.g., Print Spooler). 4, Select the "Define this policy setting" and click Edit Security.


1 Answers

that is a good question! I have never seen an official explanation from Microsoft, but I would guess that the reason has to do with permissions and rights and not wanting to mislead users.

Not all users are created equal. Some do not have the rights to display a user interface on session 0, or interact fully with arbitrary programs (and resources) it is running alongside. Having those users able to show GUI elements from a service may lead to confusion. For example, if a user account having limited rights starts an instance of Windows Explorer as a service, that window may not be able to accept dropped files from a "regular" explorer started by the interactive user. This sort of thing may be very difficult to diagnose and explain!

Note that Windows can certainly do what you like and we code it all the time in our service applications (http://www.CoreTechnologies.com/). Windows is simply not making that option available to you for any arbitrary user.

Of course please please take a step back and beware changes in Vista. "Session 0 Isolation" is a game changer for interactive Windows Services!

like image 164
CoreTech Avatar answered Nov 07 '22 13:11

CoreTech