by Vry4n_ | Jun 7, 2021 | Windows Management
Sometimes a normal user needs the ability to do some operations on a service, such as starting or stopping, multiple ways exists to grant these permissions. Windows has no GUI or (easy to use) command line tool on board to set these access rights. I will explain 1 way to do so.
- Sysinternals Process Explorer
What Are Services Exactly?
Windows services are a special type of application that is configured to launch and run in the background, in some cases before the user has even logged in. They can be configured to run as the local system account. Services are designed to run continuously in the background and perform system tasks.
The Services Panel
Windows has always used the Services panel as a way to manage the services that are running on your computer. You can easily get there at any point by simply hitting WIN + R on your keyboard to open the Run dialog, and typing in services.msc.
While you can select a service and either right-click it or click the toolbar buttons to start, stop, or restart it, you can also double-click to open up the properties view and get more information.
General Tab
- Service Name: Name of the service
- Display Name: how the application is displayed in “services”
- Description: Short description of the service
- Path to execute: Shows the application path and also arguments, when it runs
- Startup type (Manual, Disable, Automatic, Automatic [Delayed start]): apply, if you which to deploy the change
- Service Status: In this tab you can (Start, Stop, Pause, Resume) the selected service.
One of the rules that we like to follow is to avoid disabling services, since that can cause problems and errors. Instead, just try setting the service to Manual start.
Log On tab
The Log On tab allows you to choose whether the service is logged on as the local system account or under another account.
Note: You might notice the option for “Allow service to interact with desktop”, by default, services are not allowed to access your desktop unless this box is checked, and this checkbox is really only there for legacy support.
Just checking that box doesn’t immediately give them access – you would also need to make sure that the NoInteractiveServices value in the registry is set to 0, because when it is set to 1, that checkbox is ignored and services can’t interact with the desktop at all. Note: in Windows 10, the value is set to 1, and interactive services are prohibited.
- Windows + R
- regedit
- Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows
- NoInteractiveServices
Note: Services aren’t supposed to be interactive because all windows exist in the same user terminal with access to common resources like the clipboard, and if they are running along with other processes there could be an issue where a malicious application running in a normal user process could attempt to gain more access through a service, and considering that services run as the local system account, that probably isn’t a good thing.
Recovery Tab
The Recovery tab allows you to choose options for what happens when the service fails, you can:
- Take No Action
- Restart the Service
- Run a Program
- Restart the Computer
Dependencies tab
The dependencies tab shows which services depend on a particular service, and which services depend on the one you are looking at. If you are planning on disabling a service, you should probably consult this section first to make sure nothing else requires that service.
Sysinternals
1. Download the Sysinternals utility from Microsoft website (https://docs.microsoft.com/en-us/sysinternals/downloads/)
2. Unzip the downloaded file, then run the “Process Explorer” application (procexp) as administrator
3. Double click the processes you want to allow regular users to manipulate
Note: In our case openvpnserv.exe
4. Go to Services tab, and click on permissions
5. Click on Add, select the users or groups you want to permit. In my case I will add user1, then click OK
6. Select the entry that was added and modify the permissions, then click on OK
6. (OPTIONAL). You can click on Advanced to modify more permissions “Show advanced permissions”
7. Notice that before access was granted, if I tried to start the service I got “Access is denied”
- sc stop openvpnserviceinteractive
8. After these steps I can start/stop the service using user1
- sc stop openvpnserviceinteractive
- sc start openvpnserviceinteractive
by Vry4n_ | Mar 8, 2020 | Windows Management
This Guide provides a high view of Windows local management of groups and users
Users in windows
a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, the devices and resources you are allowed to use, User accounts are also the only way of authenticating and receiving the authorization to use your Windows device
Any user account has the following characteristics:
- the username or account name
- a unique identifier
- the password
- a user account picture
- the user type
- the user group
For each user account, Windows also generates a unique Security Identifier (SID) that’s not displayed in the user interface but is used internally for storing your settings. The SID has a unique value of variable length, and it looks like this: S-1-5-21-1180699209-877415012-3182924384-500.
SID meanings
S-1-5-32-544
In this example, the SID has the following components. The constants in parentheses are well-known identifier authority and RID values defined in Winnt.h:
- A revision level of 1
- An identifier-authority value of 5 (SECURITY_NT_AUTHORITY)
- A first subauthority value of 32 (SECURITY_BUILTIN_DOMAIN_RID)
- A second subauthority value of 544 (DOMAIN_ALIAS_RID_ADMINS)
https://docs.microsoft.com/es-es/windows/win32/secauthz/well-known-sids
net user
1. Listing User accounts
net user = Net User is a command line tool that allows system administrators to manage user accounts on Windows PCs. You can use the command to display account information or make changes to user accounts.
2. Displaying help
3. Display current user information, like, password settings, groups the user belongs, etc.
4. Add a new username, needs to run as administrator
username = Is the name of the user account to add, delete, modify, or view.
password = Assigns or changes a password for the user’s account.
/ADD = Adds a user account to the user accounts database.
- net user vk9-test pass123 /ADD
- net user
- net user vk9-test
5. Create a user account hide the password when typing it
* = Produces a prompt for the password.
6. Add user & information
/COMMENT:”text” = Provides a descriptive comment about the user’s account.
/FULLNAME:”name” = Is a user’s full name (rather than a username). Enclose the name in quotation marks.
/USERCOMMENT:”text” Lets an administrator add or change the User Comment for the account.
- net user vk9-test pass123 /ADD /COMMENT:”Basic user account” /FULLNAME:”VK9 Security” /USERCOMMENT:”Do not delete”
- net user vk9-test
7. Allow users to change or not their password
/PASSWORDCHG:{YES | NO} Specifies whether users can change their own password. The default is YES.
- net user vk9-test /PASSWORDCHG:NO
- net user vk9-test
8. Set a temporary account
/EXPIRES:{date | NEVER} Causes the account to expire if date is set. NEVER sets no time limit on the account. An expiration date is in the form (mm/dd/yy).
- net user vk9-test /EXPIRES:03/09/2020
- net user vk9-test
9. Set user home directory
/HOMEDIR:pathname Sets the path for the user’s home directory. The path must exist.
- net user vk9-test /HOMEDIR:C:\Users\Public
Common errors
1. Lack of privileges. (Need to open CMD as admin)
2. The computer not connected to the domain
Delete account
Local
Delete an existing user account
/DELETE Removes a user account from the user accounts database.
- net user
- net user vk9-test /DELETE
- net user
Domain
(when using /DOMAIN you have to be connected to Active Directory as an example)
- net user vk9-test /DELETE /DOMAIN
Groups in Windows
- Local groups – are the user groups that exist on your Windows computer or device. They are defined locally and can be managed from the “Local Users And Groups” tool. These are the user groups that home users work with and the ones that we’re going to talk about in this article.
- Security groups – have security descriptors associated with them. Security groups are used in Windows domains with Active Directory.
- Distribution groups – are useful for distributing e-mails for users that belong to domains with Active Directory.
You can add a regular user to Administrators group for having more rights on the computer.
net localgroup
Net localgroup command is used to manage local user groups on a computer. Administrators can add local/domain users to groups, delete users from groups, create new groups and delete existing groups.
1. Display help
/help = Displays help
2. List existing groups
Show a specific group, its details and members
3. Create a new local group
/ADD = Adds a groupname or username to a local group.
- net localgroup vk9-group /ADD
- net localgroup vk9-group
4. Add an existing user to a group
- net localgroup vk9-group vk9-test /ADD
- net localgroup vk9-group
Extra
Add a domain group to a local group
- net localgroup <localgroup> <domaingroup> /ADD
- net localgroup vk9-group WIN10VK9SECLAB\vk9-test /ADD
5. Add a comment to the group
/COMMENT:”text” = Adds a comment for a new or existing group.
- net localgroup vk9-group /COMMENT:”This is a test group”
- net localgroup vk9-group
Delete groups
1. To remove a user from existing group
/DELETE = Removes a groupname or username from a local group.
- net localgroup vk9-group
- net localgroup vk9-group vk9-test /DELETE
- net localgroup vk9-group
2. Delete an existing local group
- net localgroup vk9-group
- net localgroup vk9-group /DELETE
- net localgroup vk9-group
