INFO: Access to the Service Control Manager (179249)


The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), when used with:
    • the operating system: Microsoft Windows NT 3.51
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows XP
This article was previously published under Q179249

SUMMARY

Unlike other securable objects, the security descriptor for the Service Control Manager (SCM) cannot be modified. This means that the discretionary access control list (DACL) associated with the SCM cannot be changed.

MORE INFORMATION

A security descriptor is associated with the SCM. The DACL associated with the SCM identifies the users and groups allowed or denied access to it. When a process attempts to obtain a handle to the SCM, Windows NT Security determines whether or not the process has the requested access. The OpenSCManager API is used to obtain a handle to the SCM. If the user is granted the requested access to the SCM, the system returns a valid handle. If the request is denied, NULL is returned and the error code will be number 5, "Access is denied" (ERROR_ACCESS_DENIED).

The DACL associated with the SCM is outlined in the following table for Windows NT 3.51, Windows 4.0, and Windows 2000: 
     User or Group                Access granted
   -----------------------------------------------------------------
   - Everyone                     SC_MANAGER_CONNECT               -
   -                              GENERIC_READ                     -
   -----------------------------------------------------------------
   - LocalSystem                  SC_MANAGER_CONNECT               -
   -                              GENERIC_READ                     -
   -                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
   -----------------------------------------------------------------
   - Administrators               GENERIC_ALL                      -
   -----------------------------------------------------------------
The DACL associated with the SCM is outlined in the following table for Windows XP: 
User or Group                Access granted
-----------------------------------------------------------------
- Authenticated Users          SC_MANAGER_CONNECT               -
-                              GENERIC_READ                     -
-----------------------------------------------------------------
- LocalSystem                  SC_MANAGER_CONNECT               -
-                              GENERIC_READ                     -
-                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
-----------------------------------------------------------------
- Administrators               GENERIC_ALL                      -
-----------------------------------------------------------------
The SCM DACL on Windows XP is explicitly tightened up to prevent unauthenticated users from being able to connect to SCM.

The generic access rights for the Service Control Manager are outlined in the table below: 
     GENERIC                      Specific Access
   -----------------------------------------------------------------
   - GENERIC_READ                 STANDARD_RIGHTS_READ             -
   -                              SC_MANAGER_ENUMERATE             -
   -                              SC_MANAGER_QUERY_LOCK_STATUS     -
   -----------------------------------------------------------------
   - GENERIC_WRITE                STANDARD_RIGHTS_WRITE            -
   -                              SC_MANAGER_CREATE_SERVICE        -
   -                              SC_MANAGER_MODIFY_BOOT_CONFIG    -
   -----------------------------------------------------------------
   - GENERIC_EXECUTE              STANDARD_RIGHTS_EXECUTE          -
   -                              SC_MANAGER_CONNECT               -
   -                              SC_MANAGER_LOCK                  -
   -----------------------------------------------------------------
   - GENERIC_ALL                  SC_MANAGER_ALL_ACCESS            -
   -----------------------------------------------------------------
Modification Type:MajorLast Reviewed:12/16/2003
Keywords:kbACL kbAPI kbinfo kbKernBase kbSCM kbSecurity kbService KB179249
©2003 Microsoft Corporation. All rights reserved.