1

We have written a Windows Service that is planned to be deployed to many or all client windows machines in a company. For technical reasons this service has to be run under the logged in user (i.e. not under LocalSystem or any Service Account). Furthermore it's a requirement that our software has to be deployed using an installer that requires no user interaction (e.g. silent mode is fully supported).

We now face the problem that we are unable to install our service without having the user to provide it's credentials.

My question now is: Is it possible somehow either during the installation process or in a start up script of the end user to have a service registered or started up without having to enter the users credentials? If that is not possible (which I assume): Is it possible to start a process as a regular process and have it register itself as a service at startup, so it appears in the Services panel?

Any help or idea is appreciated.

wurzlsepp
  • 21
  • 1
  • 3
  • Can we ask what the technical reasons to run with user credentials? Do you need to access network resources? NetworkService and LocalSystem should be able to access the network using the machine account? (AD). Maybe have a quick look at ["(Managed) Service Accounts"](https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts) - essentially automatically managed accounts with automatic password intended to run services. I have not had time to test this in detail with real services to check for flaws and limitations. Check communities? – Stein Åsmul Dec 10 '20 at 04:21
  • [How to install a service under a Managed Service Account (Windows Server)](https://www.advancedinstaller.com/install-service-under-managed-service-account.html). – Stein Åsmul Dec 10 '20 at 04:26
  • @Asmul: The service needs to inspect and manipulate the users certificate store. This cannot be done - in my opinion - using another account - be it a service account or LocalSystem. – wurzlsepp Dec 14 '20 at 19:02
  • Given the recent changes in Windows 10: [Interactive Services Detection Service Removed in Windows 10 (so no more Switching to Session 0)](https://www.coretechnologies.com/blog/windows-services/interactive-services-removed-windows-10/) I am not sure what is possible in terms of impersonating users from LocalSystem. Quite frankly I never looked into this back in the day either. For now I can offer this link: [Configuring services](https://stackoverflow.com/a/61903256/129130). I once considered scheduling tasks from a service to run with user credentials. – Stein Åsmul Dec 14 '20 at 19:08
  • Sorry, for the very late response. Finally we changed the design and used a Windows Task that can be started with the privileges of the logged in user. The whole idea using a service to achieve that specific requirement is in contect with Windows conceptually bad, I think – wurzlsepp Aug 25 '22 at 08:12
  • When to use a service and when to use a scheduled task is a very common judgement call. Here is a good piece on it: https://www.coretechnologies.com/WindowsServices/FAQ.html#ServiceVsTaskScheduler and [more on the same](https://stackoverflow.com/a/14191651/129130). – Stein Åsmul Aug 25 '22 at 12:16

0 Answers0