INFO: Access to the Service Control Manager

Summary

Unlike other securable objects, the security descriptor for the Service Control Manager (SCM) cannot be modified. This means that the discretionary access control list (DACL) associated with the SCM cannot be changed.

More Information

A security descriptor is associated with the SCM. The DACL associated with the SCM identifies the users and groups allowed or denied access to it. When a process attempts to obtain a handle to the SCM, Windows NT Security determines whether or not the process has the requested access. The OpenSCManager API is used to obtain a handle to the SCM. If the user is granted the requested access to the SCM, the system returns a valid handle. If the request is denied, NULL is returned and the error code will be number 5, "Access is denied" (ERROR_ACCESS_DENIED).



The DACL associated with the SCM is outlined in the following table for Windows NT 3.51, Windows 4.0, and Windows 2000:

User or Group Access granted
-----------------------------------------------------------------
- Everyone SC_MANAGER_CONNECT -
- GENERIC_READ -
-----------------------------------------------------------------
- LocalSystem SC_MANAGER_CONNECT -
- GENERIC_READ -
- SC_MANAGER_MODIFY_BOOT_CONFIG -
-----------------------------------------------------------------
- Administrators GENERIC_ALL -
-----------------------------------------------------------------
The DACL associated with the SCM is outlined in the following table for Windows XP:

User or Group Access granted
-----------------------------------------------------------------
- Authenticated Users SC_MANAGER_CONNECT -
- GENERIC_READ -
-----------------------------------------------------------------
- LocalSystem SC_MANAGER_CONNECT -
- GENERIC_READ -
- SC_MANAGER_MODIFY_BOOT_CONFIG -
-----------------------------------------------------------------
- Administrators GENERIC_ALL -
-----------------------------------------------------------------
The SCM DACL on Windows XP is explicitly tightened up to prevent unauthenticated users from being able to connect to SCM.


The generic access rights for the Service Control Manager are outlined in the table below:

GENERIC Specific Access
-----------------------------------------------------------------
- GENERIC_READ STANDARD_RIGHTS_READ -
- SC_MANAGER_ENUMERATE -
- SC_MANAGER_QUERY_LOCK_STATUS -
-----------------------------------------------------------------
- GENERIC_WRITE STANDARD_RIGHTS_WRITE -
- SC_MANAGER_CREATE_SERVICE -
- SC_MANAGER_MODIFY_BOOT_CONFIG -
-----------------------------------------------------------------
- GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE -
- SC_MANAGER_CONNECT -
- SC_MANAGER_LOCK -
-----------------------------------------------------------------
- GENERIC_ALL SC_MANAGER_ALL_ACCESS -
-----------------------------------------------------------------
Propiedades

Id. de artículo: 179249 - Última revisión: 11/21/2006 - Revisión: 1

Comentarios