Sometimes a normal user needs the ability to do some operations on a service, such as starting or stopping, multiple ways exists to grant these permissions. Windows has no GUI or (easy to use) command line tool on board to set these access rights. I will explain 1 way to do so.
- Sysinternals Process Explorer
What Are Services Exactly?
Windows services are a special type of application that is configured to launch and run in the background, in some cases before the user has even logged in. They can be configured to run as the local system account. Services are designed to run continuously in the background and perform system tasks.
The Services Panel
Windows has always used the Services panel as a way to manage the services that are running on your computer. You can easily get there at any point by simply hitting WIN + R on your keyboard to open the Run dialog, and typing in services.msc.
- Windows + R
- services.msc
While you can select a service and either right-click it or click the toolbar buttons to start, stop, or restart it, you can also double-click to open up the properties view and get more information.
General Tab
- Service Name: Name of the service
- Display Name: how the application is displayed in “services”
- Description: Short description of the service
- Path to execute: Shows the application path and also arguments, when it runs
- Startup type (Manual, Disable, Automatic, Automatic [Delayed start]): apply, if you which to deploy the change
- Service Status: In this tab you can (Start, Stop, Pause, Resume) the selected service.
One of the rules that we like to follow is to avoid disabling services, since that can cause problems and errors. Instead, just try setting the service to Manual start.
Log On tab
The Log On tab allows you to choose whether the service is logged on as the local system account or under another account.
Note: You might notice the option for “Allow service to interact with desktop”, by default, services are not allowed to access your desktop unless this box is checked, and this checkbox is really only there for legacy support.
Just checking that box doesn’t immediately give them access – you would also need to make sure that the NoInteractiveServices value in the registry is set to 0, because when it is set to 1, that checkbox is ignored and services can’t interact with the desktop at all. Note: in Windows 10, the value is set to 1, and interactive services are prohibited.
- Windows + R
- regedit
- Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows
- NoInteractiveServices
Note: Services aren’t supposed to be interactive because all windows exist in the same user terminal with access to common resources like the clipboard, and if they are running along with other processes there could be an issue where a malicious application running in a normal user process could attempt to gain more access through a service, and considering that services run as the local system account, that probably isn’t a good thing.
Recovery Tab
The Recovery tab allows you to choose options for what happens when the service fails, you can:
- Take No Action
- Restart the Service
- Run a Program
- Restart the Computer
Dependencies tab
The dependencies tab shows which services depend on a particular service, and which services depend on the one you are looking at. If you are planning on disabling a service, you should probably consult this section first to make sure nothing else requires that service.
Sysinternals
1. Download the Sysinternals utility from Microsoft website (https://docs.microsoft.com/en-us/sysinternals/downloads/)
2. Unzip the downloaded file, then run the “Process Explorer” application (procexp) as administrator
3. Double click the processes you want to allow regular users to manipulate
Note: In our case openvpnserv.exe
4. Go to Services tab, and click on permissions
5. Click on Add, select the users or groups you want to permit. In my case I will add user1, then click OK
6. Select the entry that was added and modify the permissions, then click on OK
6. (OPTIONAL). You can click on Advanced to modify more permissions “Show advanced permissions”
7. Notice that before access was granted, if I tried to start the service I got “Access is denied”
- sc stop openvpnserviceinteractive
8. After these steps I can start/stop the service using user1
- sc stop openvpnserviceinteractive
- sc start openvpnserviceinteractive