Comments on: Service and application in single EXE? Update

By: Oliver

Oliver — Mon, 12 May 2008 19:06:42 +0000

Oh, sorry. That makes sense, of course.

By: Remko

Remko — Mon, 12 May 2008 18:44:45 +0000

@Oliver: I meant the Local Service account (sorry for the typo) which was introduced in win2003 (http://msdn.microsoft.com/en-us/library/ms684188(VS.85).aspx). The account has considerably less permissions than the System account.

By: Mark Robinson

Mark Robinson — Sun, 11 May 2008 10:20:13 +0000

Cheers. Forgot about svchost.exe too, but glad I could help!

By: Christian Wimmer

Christian Wimmer — Sat, 10 May 2008 19:51:25 +0000

Thank you. I updated the post with your information.

By: Mark Robinson

Mark Robinson — Sat, 10 May 2008 17:19:48 +0000

Find out what the parent process is, it will always be “services.exe” if the app is running as a service.

By: Christian Wimmer

Christian Wimmer — Sat, 10 May 2008 10:13:59 +0000

So what is the right way to determine whether my process is running as a service or not? I suspect it includes the service control manager – and a connection to it. Actually I don’t have time to find it out, so maybe some wise guys can show it? thx

By: Oliver

Oliver — Sat, 10 May 2008 09:21:49 +0000

Lars, that’s exactly how it should be done. Normally you would expect this to be done by installers, too, but too many people seem to think that running as SYSTEM is the only way. Especially outbound services should be run with as limited rights as possible.

Remko, this is only valid for CIFS/SMB connections and wasn’t new with Windows 2003, although it may be even stricter there than it was previously. I know for sure that you can relax the policies in order to allows this, but this is a horrible horrible style. And for changing the password, it’s good to have a service which stores this in the secret stash (for example IIS allows you to configure this behavior, by saying that IIS can manage its own user accounts).

By: Remko

Remko — Sat, 10 May 2008 08:05:17 +0000

AFAIK services running under the Local System account are denied access to the network (this was new in windows 2003). If you do need your service to access the network you should use the Network Service account in which case you need to give the computer account (computername followed by a $) permissions on the remote system (only possible in domain environments). If you need access to a remote share (CIFS/SMB) which does not permit anonymous access or access to the computer account you should use a (domain) user account.
If you do use a user account make sure it’s not a domain admin, change the password at regular intervals etc. etc.

By: Lars Bargmann

Lars Bargmann — Sat, 10 May 2008 04:55:38 +0000

No, services are not restricted from the network, but running them under sys-account will most likely tick off your AD-people, if your service needs write-access to something…
Where I work (Rather big IT-infrastructure) every service that needs to do anything on the network-drives, will be running under a service-account that is being maintained in the AD…

By: Oliver

Oliver — Fri, 09 May 2008 15:24:32 +0000

Hi, if you mean CIFS/SMB, then you are most certainly right. But services have never been restricted using the network in any sense.