检查Windows服务的状态 - 有什么特权，我需要 [英] Check Windows services status - what privilege do I need

问题描述

我要检查像这样在不同的远程服务器上的某些Windows服务的状态：

I want to check some Windows services status on different remote servers like this:

ServiceController sc =  new ServiceController("MyWindowsService", "COMPUTER_NAME");

var status = sc.Status

但我不（与不能）有那些服务器的管理员权限。

But I don't (and can't) have Administrator privileges on those servers.

什么权利我应该要求检查状态？

What right should I be asking for to check the status ?

• 我不想能够重新启动他们要么，我需要只读访问，


• 该应用程序不在同一台机器上运行。

推荐答案

非管理员用户可以连接到服务控制管理器远程，只要具备了从网络访问这台计算机用户权限。默认情况下此权限被授予给所有用户。

Non-admin users can connect to the Service Control Manager remotely, provided they have the "Access this computer from the network" user right. By default this right is granted to all users.

访问个别服务是通过在每个服务的ACL控制。你必须已经知道服务的名字，因为一个非管理员用户无法远程枚举服务

Access to individual services is controlled by the ACL on each service. You must already know the service name, because a non-admin user cannot enumerate services remotely.

有关服务的默认安全描述符如下：

The default security descriptor for a service is as follows:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

您可以使用 SC附带使用sdshow 命令确定服务的安全描述符。字符串格式安全性说明在MSDN上描述符定义语言。

You can determine the security descriptor for a service using the sc sdshow command. The string format is described in Security Descriptor Definition Language on MSDN.

好吧，让我们拓展出安全描述符字符串。这是一个有点棘手，因为SDDL权限和等效安全管理权限之间的映射不会出现在MSDN或SDK头有据可查;幸运的是，马丁·韦恩已经为我们做了繁重的任务，并张贴在博客条目的服务控制管理器的安全性非管理员的。

OK, let's expand out that security descriptor string. This is a bit tricky because the mapping between the SDDL permissions and equivalent security manager permissions does not appear to be well documented in MSDN or in the SDK headers; luckily, Wayne Martin has already done the heavy lifting for us and posted the results in the blog entry Service Control Manager Security for non-admins.

D: - this part is the DACL, the permissions on the service.

由于所有的条目是允许条目顺序并不显著;我会列出他们从最低到最高特权的便利

Since all the entries are allow entries, the order isn't significant; I'll list them from least to most privilege for convenience.

(A;;CCLCSWLOCRRC;;;IU) - allow the interactive user the following rights:
  CC - SERVICE_QUERY_CONFIG (the right to query the service configuration)
  LC - SERVICE_QUERY_STATUS (the right to query the service status)
  SW - SERVICE_ENUMERATE_DEPENDENTS (the right to see service dependencies)
  LO - SERVICE_INTERROGATE (the right to send SERVICE_CONTROL_INTERROGATE)
  CR - SERVICE_USER_DEFINED_CONTROL (the right to send a user defined control)
  RC - READ_CONTROL (the right to see the permissions)
(A;;CCLCSWLOCRRC;;;SU) - allow services the following rights:
   same as for the interactive user
(A;;CCLCSWRPWPDTLOCRRC;;;SY) - allow local system the following rights:
   same as for the interactive user, plus:       
   RP - SERVICE_START (the right to start the service)
   WP - SERVICE_STOP (the right to stop the service)
   DT - SERVICE_PAUSE_CONTINUE (the right to send pause and continue requests)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) - allow the Administrators group:
   same as for local system, plus:
   DC - SERVICE_CHANGE_CONFIG (the right to reconfigure the service)
   SD - DELETE (the right to delete the service)
   WD - WRITE_DAC (permission to change the permissions)
   WO - WRITE_OWNER (permission to take ownership)

安全描述符字符串（取值:(第二部分.. 。））是SACL，它控制哪些审计已经完成。我们此刻不感兴趣。

The second part of the security descriptor string (S:(...)) is the SACL, which controls what auditing is done. We're not interested in that at the moment.

您会注意到，有没有允许的权限适用于非管理远程用户。为了给特定用户远程访问，添加允许ACE具有相同权限的交互式用户的用户。

You will notice that there are no allow permissions applicable to non-administrative remote users. To give remote access to a particular user, add an allow ACE for that user with the same permissions as the interactive user.

如果这是你自己的服务，您可以更改该权限时使用的 SetServiceObjectSecurity 功能。你也可以使用此功能来改变现有服务的权限，写一个程序。

If this is your own service, you can change the permissions when the service is installed using the SetServiceObjectSecurity function. You could also write a program using this function to change the permissions on an existing service.

另外，你可以使用 SC sdset 在命令行设置的权限基于一个SDDL字符串现有的服务。你首先需要查找该用户的SID串;在一个域中，可以使用Active Directory用户和计算机做到这一点。该SID字符串可以通过属性编辑器选项卡中可以看出，在属性的objectSID。 （可惜你不能复制和粘贴的方式。为查找用户的SID更方便的方法的建议是欢迎的。）

Alternatively, you can use sc sdset at the command line to set the permissions for an existing service based on a SDDL string. You will first need to look up the SID string for the user; in a domain, you can do this using Active Directory Users and Computers. The SID string can be seen via the Attribute Editor tab, in the objectSid attribute. (Unfortunately you can't copy and paste that way. Suggestions for more convenient methods of looking up a user's SID are welcomed.)

如果该SID字符串均 S-1-5-21-131085535662-8349591032-725385543-5981 ，例如，在命令行是

If the SID string were S-1-5-21-131085535662-8349591032-725385543-5981, for example, the command line would be

sc sdset myservice D:(A;;CCLCSWLOCRRC;;;S-1-5-21-131085535662-8349591032-725385543-5981)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

（你并不需要指定SACL;如果存在，则现有的SACL将被保留）

(You do not need to specify the SACL; if absent, the existing SACL will be retained.)

这篇关于检查Windows服务的状态 - 有什么特权，我需要的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！