OpenSCManager function
Applies to: desktop apps only
Establishes a connection to the service control manager on the specified computer and opens the specified service control manager database.
Syntax
SC_HANDLE WINAPI OpenSCManager( __in_opt LPCTSTR lpMachineName, __in_opt LPCTSTR lpDatabaseName, __in DWORD dwDesiredAccess );
Parameters
- lpMachineName [in, optional]
-
The name of the target computer. If the pointer is NULL or points to an empty string, the function connects to the service control manager on the local computer.
- lpDatabaseName [in, optional]
-
The name of the service control manager database. This parameter should be set to SERVICES_ACTIVE_DATABASE. If it is NULL, the SERVICES_ACTIVE_DATABASE database is opened by default.
- dwDesiredAccess [in]
-
The access to the service control manager. For a list of access rights, see Service Security and Access Rights.
Before granting the requested access rights, the system checks the access token of the calling process against the discretionary access-control list of the security descriptor associated with the service control manager.
The SC_MANAGER_CONNECT access right is implicitly specified by calling this function.
Return value
If the function succeeds, the return value is a handle to the specified service control manager database.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.
The following error codes can be set by the SCM. Other error codes can be set by the registry functions that are called by the SCM.
| Return code | Description |
|---|---|
|
The requested access was denied. |
|
The specified database does not exist. |
Remarks
When a process uses the OpenSCManager function to open a handle to a service control manager database, the system performs a security check before granting the requested access. For more information, see Service Security and Access Rights.
If the current user does not have proper access when connecting to a service on another computer, the OpenSCManager function call fails. To connect to a service remotely, call the LogonUser function with LOGON32_LOGON_NEW_CREDENTIALS and then call ImpersonateLoggedOnUser before calling OpenSCManager. For more information about connecting to services remotely, see Services and RPC/TCP.
Only processes with Administrator privileges are able to open a database handle that can be used by the CreateService function.
The returned handle is only valid for the process that called the OpenSCManager function. It can be closed by calling the CloseServiceHandle function.
Examples
For an example, see Changing a Service's Configuration.
Requirements
|
Minimum supported client | Windows XP |
|---|---|
|
Minimum supported server | Windows Server 2003 |
|
Header |
|
|
Library |
|
|
DLL |
|
|
Unicode and ANSI names | OpenSCManagerW (Unicode) and OpenSCManagerA (ANSI) |
See also
Send comments about this topic to Microsoft
Build date: 2/7/2012
- 11/13/2011
- Redsome
It's well known that one can view the security descriptor of a service by the following command:
> sc.exe sdshow lanmanserver
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Or using the Sysinternals AccessChk.exe:
> accesschk.exe -c lanmanserver
Or using the SubInAcl.exe tool:
> subinacl /service lanmanserver
However, the caller of the OpenSCManager API needs to be granted the desired permissions on the Service Control Manager itself. How does one view the security descriptor of the Service Control Manager itself? You can do this by supplying the "fake" service name SCMANAGER to sc.exe. sc.exe is the only utility I know of that can view this security descriptor.
> sc.exe sdshow SCMANAGER
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
You can decipher this ACL by mapping the SDDL acronyms (CC, LC, RP, etc) to their bit value and comparing them to the permission definitions for the Service Control Manager itself.
0x00000001 CC
0x00000002 DC
0x00000004 LC
0x00000008 SW
0x00000010 RP
0x00000020 WP
0x00000040 DT
0x00000080 LO
0x00000100 CR
Hence the SDDL ACL for SCM above means:
Allow: SC_MANAGER_CONNECT for Authenticated Users
Allow: SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE | SC_MANAGER_QUERY_LOCK_STATUS | READ_CONTROL for INTERACTIVE Users
Allow: SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE | SC_MANAGER_QUERY_LOCK_STATUS | READ_CONTROL for NT AUTHORITY\SERVICE
Allow: SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE | SC_MANAGER_QUERY_LOCK_STATUS | READ_CONTROL | SC_MANAGER_MODIFY_BOOT_CONFIG for NT AUTHORITY\SYSTEM
Allow: SC_MANAGER_ALL_ACCESS for BUILTIN\Administrators
The rest is the SACL.
- 3/23/2007
- GenericAll
- 5/23/2011
- sobemacusa
<DllImportAttribute("advapi32.dll", EntryPoint:="OpenSCManagerW", SetLastError:=True)> _
Public Shared Function OpenSCManager(<InAttribute(), MarshalAsAttribute(UnmanagedType.LPWStr)> ByVal lpMachineName As String, _
<InAttribute(), MarshalAsAttribute(UnmanagedType.LPWStr)> ByVal lpDatabaseName As String, _
ByVal dwDesiredAccess As UInteger) As belle
End Function
- 6/17/2010
- Chris128
- 5/5/2011
- daisybelle
Admittedly, this is called from VB6 via a Declare, so my mileage may vary.
Once I changed the argument to a pointer to "ServicesActive", everything was fine.
Thanks to the tip above, I did try mucking about with the SCMANAGER DACL (why isn't there a mechanism for dealing with service security descriptors built into the .NET Run-time and thus PowerShell?), and safely eliminated that possibility with full control to Everyone.
Out of curiousity, where is the SD for the SCMANAGER stored?
- 10/14/2008
- Thomas S. Trias
