Export (0) Print
Expand All
Expand Minimize

SetServiceObjectSecurity function

[SetServiceObjectSecurity is available for use in the operating systems specified in the Requirements section. It may be altered or unavailable in subsequent versions. Instead, use the SetNamedSecurityInfo function.]

The SetServiceObjectSecurity function sets the security descriptor of a service object.

Syntax


BOOL WINAPI SetServiceObjectSecurity(
  _In_  SC_HANDLE hService,
  _In_  SECURITY_INFORMATION dwSecurityInformation,
  _In_  PSECURITY_DESCRIPTOR lpSecurityDescriptor
);

Parameters

hService [in]

A handle to the service. This handle is returned by the OpenService or CreateService function. The access required for this handle depends on the security information specified in the dwSecurityInformation parameter.

dwSecurityInformation [in]

Specifies the components of the security descriptor to set. This parameter can be a combination of the following values. Note that flags not handled by SetServiceObjectSecurity will be silently ignored.

ValueMeaning
DACL_SECURITY_INFORMATION

Sets the discretionary access control list (DACL) of the object. The handle specified by hService must have WRITE_DAC access, or the calling process must be the owner of the object.

GROUP_SECURITY_INFORMATION

Sets the primary group security identifier (SID) of the object. The handle specified by hService must have WRITE_OWNER access, or the calling process must be the owner of the object.

OWNER_SECURITY_INFORMATION

Sets the SID of the owner of the object. The handle specified by hService must have WRITE_OWNER access, or the calling process must be the owner of the object or have the SE_TAKE_OWNERSHIP_NAME privilege enabled.

SACL_SECURITY_INFORMATION

Sets the system access control list (SACL) of the object. The handle specified by hService must have ACCESS_SYSTEM_SECURITY access.

Aa379589.wedge(en-us,VS.85).gifTo obtain ACCESS_SYSTEM_SECURITY access

  1. Enable the SE_SECURITY_NAME privilege in the current access token of the caller.
  2. Open the handle for ACCESS_SYSTEM_SECURITY access.
  3. Disable the privilege.

 

lpSecurityDescriptor [in]

A pointer to a SECURITY_DESCRIPTOR structure that contains the new security information.

Return value

If the function succeeds, the function returns nonzero.

If the function fails, it returns zero. To get extended error information, call GetLastError.

The following error codes can be set by the service control manager. Other error codes can be set by the registry functions that are called by the service control manager.

Return codeDescription
ERROR_ACCESS_DENIED

The specified handle was not opened with the required access, or the calling process is not the owner of the object.

ERROR_INVALID_HANDLE

The specified handle is not valid.

ERROR_INVALID_PARAMETER

The specified security information or security descriptor is not valid.

ERROR_SERVICE_MARKED_FOR_DELETE

The specified service has been marked for deletion.

 

Remarks

The SetServiceObjectSecurity function sets the specified portions of the security descriptor of the service object based on the information specified in the lpSecurityDescriptor buffer. This function replaces any or all of the security information associated with the service object, according to the flags set in the dwSecurityInformation parameter and subject to the access rights of the calling process.

When a service is created, the service control manager assigns a default security descriptor to the service object. To retrieve a copy of the security descriptor for a service object, call the QueryServiceObjectSecurity function. For a description of the default security descriptor for a service object, see Service Security and Access Rights.

Note that granting certain access to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service and possibly allow them to run applications under the LocalSystem account.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Winsvc.h (include Windows.h)

Library

Advapi32.lib

DLL

Advapi32.dll

See also

Low-level Access Control
Low-level Access Control Functions
CreateService
OpenService
QueryServiceObjectSecurity
SECURITY_DESCRIPTOR

 

 

Community Additions

ADD
Show:
© 2014 Microsoft