Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I check if current user has the right to restart a windows service?

Tags:

c#

permissions

windows-services

How do I check if the user has permission to start/stop a specific windows service, without actually stopping or starting it?

The question is not about granting the right to restart the service to the user (with subinacl.exe for example) : I want to check if the user is administrator or if he has already been granted the right to restart the service.

like image 916
olorin Avatar asked Feb 03 '12 08:02

olorin

1 Answers

I finally found a way, I'm answering my own question for future reference.

public static ServiceAccessFlags GetServiceAcces(ServiceController serviceController)
{
  WindowsIdentity winId = WindowsIdentity.GetCurrent(TokenAccessLevels.Duplicate | TokenAccessLevels.Query);
  return GetServiceAcces(serviceController, winId);
}

private static ServiceAccessFlags GetServiceAcces(ServiceController serviceController, WindowsIdentity windowsIdentity)
{
  // see http://www.pinvoke.net/default.aspx/advapi32/QueryServiceObjectSecurity.html?DelayRedirect=1If
  byte[] buffer = new byte[0];
  uint bufferSizeNeeded;
  bool ok = QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, 0, out bufferSizeNeeded);
  if (!ok)
  {
    int err = Marshal.GetLastWin32Error();
    if (err == 122) // ERROR_INSUFFICIENT_BUFFER
    {
      // expected; now we know bufsize
      buffer = new byte[bufferSizeNeeded];
      ok = QueryServiceObjectSecurity(serviceController.ServiceHandle, SecurityInfos.DiscretionaryAcl, buffer, bufferSizeNeeded, out bufferSizeNeeded);
    }
    else
    {
      throw new InvalidOperationException("error calling QueryServiceObjectSecurity() to get DACL for Service: error code=" + err);
    }
  }
  if (!ok)
    throw new InvalidOperationException("error calling QueryServiceObjectSecurity(2) to get DACL for Service: error code=" + Marshal.GetLastWin32Error());

  RawSecurityDescriptor rsd = new RawSecurityDescriptor(buffer, 0);
  RawAcl racl = rsd.DiscretionaryAcl;
  DiscretionaryAcl dacl = new DiscretionaryAcl(false, false, racl);

  byte[] daclBuffer = new byte[dacl.BinaryLength];
  dacl.GetBinaryForm(daclBuffer, 0);

  SecurityIdentifier sid = windowsIdentity.User;
  byte[] sidBuffer = new byte[sid.BinaryLength];
  sid.GetBinaryForm(sidBuffer, 0);

  TRUSTEE t = new TRUSTEE();
  BuildTrusteeWithSid(ref t, sidBuffer);

  uint access = 0;
  uint hr = GetEffectiveRightsFromAcl(daclBuffer, ref t, ref access);

  ServiceAccessFlags serviceAccess = (ServiceAccessFlags)access;

  int i = Marshal.Release(t.ptstrName);

  return serviceAccess;
}

[DllImport("advapi32.dll")]
private static extern uint GetEffectiveRightsFromAcl(byte[] pacl, ref TRUSTEE pTrustee, ref uint pAccessRights);

private enum MULTIPLE_TRUSTEE_OPERATION
{
  NO_MULTIPLE_TRUSTEE,
  TRUSTEE_IS_IMPERSONATE
}

private enum TRUSTEE_FORM
{
  TRUSTEE_IS_SID,
  TRUSTEE_IS_NAME,
  TRUSTEE_BAD_FORM,
  TRUSTEE_IS_OBJECTS_AND_SID,
  TRUSTEE_IS_OBJECTS_AND_NAME
}

private enum TRUSTEE_TYPE
{
  TRUSTEE_IS_UNKNOWN,
  TRUSTEE_IS_USER,
  TRUSTEE_IS_GROUP,
  TRUSTEE_IS_DOMAIN,
  TRUSTEE_IS_ALIAS,
  TRUSTEE_IS_WELL_KNOWN_GROUP,
  TRUSTEE_IS_DELETED,
  TRUSTEE_IS_INVALID,
  TRUSTEE_IS_COMPUTER
}

private struct TRUSTEE
{
  public IntPtr pMultipleTrustee;
  public MULTIPLE_TRUSTEE_OPERATION MultipleTrusteeOperation;
  public TRUSTEE_FORM TrusteeForm;
  public TRUSTEE_TYPE TrusteeType;
  public IntPtr ptstrName;
}

[DllImport("advapi32.dll", SetLastError = true)]
private static extern void BuildTrusteeWithSid(
    ref TRUSTEE pTrustee,
    byte[] sid
);

[DllImport("advapi32.dll", SetLastError = true)]
static extern bool QueryServiceObjectSecurity(SafeHandle serviceHandle, System.Security.AccessControl.SecurityInfos secInfo, byte[] lpSecDesrBuf, uint bufSize, out uint bufSizeNeeded);

[System.FlagsAttribute]
public enum ServiceAccessFlags : uint
{
  QueryConfig = 1,
  ChangeConfig = 2,
  QueryStatus = 4,
  EnumerateDependents = 8,
  Start = 16,
  Stop = 32,
  PauseContinue = 64,
  Interrogate = 128,
  UserDefinedControl = 256,
  Delete = 65536,
  ReadControl = 131072,
  WriteDac = 262144,
  WriteOwner = 524288,
  Synchronize = 1048576,
  AccessSystemSecurity = 16777216,
  GenericAll = 268435456,
  GenericExecute = 536870912,
  GenericWrite = 1073741824,
  GenericRead = 2147483648
}
like image 176
olorin Avatar answered Oct 21 '22 19:10

olorin

Sign in to Comment

Related questions

TcpClient.EndConnect throws NullReferenceException when socket is closed
ASP.NET MVC3 bind to subclass
WPF datagrid with MVVM
Conditional statement, generic delegate unnecessary cast
Multiple aspects on one method
clr.sll!StrongNameSignatureVerification CPU consumption
OpenFileDialog is blocked by Norton Antivirus if project was generated by SharpDevelop
TFS: Find a moved file by the old name
How to hash a URL quickly
Visual Studio 2010 - Can't step through .NET Framework 4 source (PresentationCore.dll)
How to find out the closest possible combination of some given prime numbers to 10000?
How do I write generic tests for all implementations of an interface with MSpec?
XAML Button not garbage collected after eliminating references
C# Uri.EscapeDatastring() equivalent for Java
How to run setup (*.exe) file with out using MSI File?
How do I use Mono.WebBrowser?
Programmatically copying a CD, byte for byte
What would be considered the best way to architect sending email from a C# web application?
Why doesn't BasicHttpBinding need a Principal Name to use Kerberos Auth on IIS7?
Scaling out WCF, how to deal with callbacks?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!