从非管理员用户帐户启动/停止 Windows 服务 [英] Start / Stop a Windows Service from a non-Administrator user account
问题描述
我有一个名为 BST 的 WindowsService.我需要授予非管理员用户 UserA 启动/停止此特定服务的权限.我的服务在各种 Windows 操作系统上运行,从 Windows Server 2003 到 Windows 7.
I have a WindowsService named, say, BST. And I need to give a non-Administrator user, UserA, the permissions to Start/Stop this particular service. My service runs on a variety of Windows OS, starting from Windows Server 2003 to Windows 7.
我该怎么做?
我在谷歌上搜索并找到了一些关于使用命令 [sc sdset] 授予权限的内容,但我对参数不太确定.我不想为组设置权限,而只想为特定用户(在本例中为 UserA)设置权限.
I Googled and found some stuff about giving permissions using the command [sc sdset], but I am not exactly sure about the parameters. I do not want to set the permissions for a group, but ONLY to a particular user, UserA in this case.
推荐答案
下面我汇总了我从非管理员用户帐户启动/停止 Windows 服务的所有知识,如果有人需要知道的话.
主要有两种方法可以启动/停止 Windows 服务.<强>1.通过登录 Windows 用户帐户直接访问服务.2. 使用网络服务帐户通过 IIS 访问服务.
Primarily, there are two ways in which to Start / Stop a Windows Service. 1. Directly accessing the service through logon Windows user account. 2. Accessing the service through IIS using Network Service account.
启动/停止服务的命令行命令:
Command line command to start / stop services:
C:/> net start <SERVICE_NAME>
C:/> net stop <SERVICE_NAME>
启动/停止服务的C#代码:
C# Code to start / stop services:
ServiceController service = new ServiceController(SERVICE_NAME);
//Start the service
if (service.Status == ServiceControllerStatus.Stopped)
{
service.Start();
service.WaitForStatus(ServiceControllerStatus.Running, TimeSpan.FromSeconds(10.0));
}
//Stop the service
if (service.Status == ServiceControllerStatus.Running)
{
service.Stop();
service.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(10.0));
}
注意 1:通过 IIS 访问服务时,创建一个 Visual Studio C# ASP.NET Web 应用程序并将代码放在那里.将 WebService 部署到 IIS 根文件夹 (C:\inetpub\wwwroot\) 就可以了.通过 url http:///访问它.
Note 1: When accessing the service through IIS, create a Visual Studio C# ASP.NET Web Application and put the code in there. Deploy the WebService to IIS Root Folder (C:\inetpub\wwwroot\) and you're good to go. Access it by the url http:///.
1.直接访问方法
如果您发出命令或运行代码的 Windows 用户帐户是非管理员帐户,则您需要为该特定用户帐户设置权限,以便它能够启动和停止 Windows 服务.这就是你的方式.在具有您要启动/停止服务的非管理员帐户的计算机上登录管理员帐户.打开命令提示符并提供以下命令:
If the Windows User Account from which either you give the command or run the code is a non-Admin account, then you need to set the privileges to that particular user account so it has the ability to start and stop Windows Services. This is how you do it. Login to an Administrator account on the computer which has the non-Admin account from which you want to Start/Stop the service. Open up the command prompt and give the following command:
C:/>sc sdshow <SERVICE_NAME>
这个输出将是这样的:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
它列出了此计算机上每个用户/组对 .
It lists all the permissions each User / Group on this computer has with regards to .
A description of one part of above command is as follows:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
It has the default owner, default group, and it has the Security descriptor control flags (A;;CCLCSWRPWPDTLOCRRC;;;SY):
ace_type - "A": ACCESS_ALLOWED_ACE_TYPE,
ace_flags - n/a,
rights - CCLCSWRPWPDTLOCRRC, please refer to the Access Rights and Access Masks and Directory Services Access Rights
CC: ADS_RIGHT_DS_CREATE_CHILD - Create a child DS object.
LC: ADS_RIGHT_ACTRL_DS_LIST - Enumerate a DS object.
SW: ADS_RIGHT_DS_SELF - Access allowed only after validated rights checks supported by the object are performed. This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check.
RP: ADS_RIGHT_DS_READ_PROP - Read the properties of a DS object.
WP: ADS_RIGHT_DS_WRITE_PROP - Write properties for a DS object.
DT: ADS_RIGHT_DS_DELETE_TREE - Delete a tree of DS objects.
LO: ADS_RIGHT_DS_LIST_OBJECT - List a tree of DS objects.
CR: ADS_RIGHT_DS_CONTROL_ACCESS - Access allowed only after extended rights checks supported by the object are performed. This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check.
RC: READ_CONTROL - The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). (This is a Standard Access Right, please read more http://msdn.microsoft.com/en-us/library/aa379607(VS.85).aspx)
object_guid - n/a,
inherit_object_guid - n/a,
account_sid - "SY": Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
现在我们需要做的是为我们想要的组或用户设置适当的权限来启动/停止 Windows 服务.在这种情况下,我们需要当前的非管理员用户能够启动/停止服务,因此我们将为该用户设置权限.为此,我们需要该特定 Windows 用户帐户的 SID.要获取它,请打开注册表(开始 > regedit)并找到以下注册表项.
Now what we need to do is to set the appropriate permissions to Start/Stop Windows Services to the groups or users we want. In this case we need the current non-Admin user be able to Start/Stop the service so we are going to set the permissions to that user. To do that, we need the SID of that particular Windows User Account. To obtain it, open up the Registry (Start > regedit) and locate the following registry key.
LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
在此之下,这台计算机中的每个用户帐户都有一个单独的密钥,密钥名称是每个帐户的 SID.SID 通常的格式为 S-1-5-21-2103278432-2794320136-1883075150-1000.单击每个键,您将在右侧的窗格中看到每个键的值列表.找到ProfileImagePath",通过它的值可以找到SID所属的用户名.例如,如果帐户的用户名是 SACH,那么ProfileImagePath"的值将类似于C:\Users\Sach".因此,请记下您要为其设置权限的用户帐户的 SID.
Under that there is a seperate Key for each an every user account in this computer, and the key name is the SID of each account. SID are usually of the format S-1-5-21-2103278432-2794320136-1883075150-1000. Click on each Key, and you will see on the pane to the right a list of values for each Key. Locate "ProfileImagePath", and by it's value you can find the User Name that SID belongs to. For instance, if the user name of the account is SACH, then the value of "ProfileImagePath" will be something like "C:\Users\Sach". So note down the SID of the user account you want to set the permissions to.
注意 2:这是一个简单的 C# 代码示例,可用于获取所述键及其值的列表.
Note2: Here a simple C# code sample which can be used to obtain a list of said Keys and it's values.
//LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList RegistryKey
RegistryKey profileList = Registry.LocalMachine.OpenSubKey(keyName);
//Get a list of SID corresponding to each account on the computer
string[] sidList = profileList.GetSubKeyNames();
foreach (string sid in sidList)
{
//Based on above names, get 'Registry Keys' corresponding to each SID
RegistryKey profile = Registry.LocalMachine.OpenSubKey(Path.Combine(keyName, sid));
//SID
string strSID = sid;
//UserName which is represented by above SID
string strUserName = (string)profile.GetValue("ProfileImagePath");
}
现在我们有了要设置权限的用户帐户的 SID,让我们开始吧.假设用户帐户的 SID 是 S-1-5-21-2103278432-2794320136-1883075150-1000.将 [sc sdshow ] 命令的输出复制到文本编辑器.它看起来像这样:
Now that we have the SID of the user account we want to set the permissions to, let's get down to it. Let's assume the SID of the user account is S-1-5-21-2103278432-2794320136-1883075150-1000. Copy the output of the [sc sdshow ] command to a text editor. It will look like this:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
现在,复制上述文本的 (A;;CCLCSWRPWPDTLOCRRC;;;SY) 部分,并将其粘贴就在 S:(AU;... 文本的一部分.然后将该部分更改为如下所示:(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)
Now, copy the (A;;CCLCSWRPWPDTLOCRRC;;;SY) part of the above text, and paste it just before the S:(AU;... part of the text. Then change that part to look like this: (A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)
然后在前面加上sc sdset ,上面的部分用引号括起来.您的最终命令应如下所示:
Then add sc sdset at the front, and enclose the above part with quotes. Your final command should look something like the following:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
现在在你的命令提示符中执行这个,如果成功它应该给出如下输出:
Now execute this in your command prompt, and it should give the output as follows if successful:
[SC] SetServiceObjectSecurity SUCCESS
现在我们可以开始了!您的非管理员用户帐户已被授予启动/停止服务的权限!尝试登录用户帐户并启动/停止服务,它应该会让您这样做.
Now we're good to go! Your non-Admin user account has been granted permissions to Start/Stop your service! Try loggin in to the user account and Start/Stop the service and it should let you do that.
2.通过IIS方式访问
在这种情况下,我们需要将权限授予 IIS 用户网络服务",而不是登录 Windows 用户帐户.过程是一样的,只是命令的参数会改变.由于我们将权限设置为网络服务",因此在我们之前使用的最终 sdset 命令中将 SID 替换为字符串NS".最后的命令应该是这样的:
In this case, we need to grant the permission to the IIS user "Network Services" instead of the logon Windows user account. The procedure is the same, only the parameters of the command will be changed. Since we set the permission to "Network Services", replace SID with the string "NS" in the final sdset command we used previously. The final command should look something like this:
sc sdset <SERVICE_NAME> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
从管理员用户帐户在命令提示符下执行它,瞧!您有权使用 WebMethod 从任何用户帐户(无论是否为管理员帐户)启动/停止服务.请参阅 Note1 了解如何操作.
Execute it in the command prompt from an Admin user account, and voila! You have the permission to Start / Stop the service from any user account (irrespective of whether it ia an Admin account or not) using a WebMethod. Refer to Note1 to find out how to do so.
这篇关于从非管理员用户帐户启动/停止 Windows 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
