Services Question

in the event viewer, and probably services interface you can see what user a service is running under. In the event viewer, I see three different things:

-System
-N/A
- my computer name / my username

i have heard it is best to run services under system. how does one control this?


- HandsOff

 

Hi Hands,

I've wondered this myself searching high and low for answer's, discovering a reasonably complicated approach through the use of Access Token's, ACL's, Privilege's, and Security Descriptor's "oh my!" I'm pretty sure I'm on the right track issuing this page from the MSDN library (either that or I truly don't know what the heck I'm talking about, swap the x's too!) ....

xxxx://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_control.asp

Further .... the use of commands such as cacls, net, netdom, sc, set, and xcacls can extend manipulation beyond the capabilities of a window's environment, much as netsh can for networking. Experiment if you dare!

xxxx://www.ss64.com/nt/

You're inquery sparked my curiosity to also locate this (neither free nor cheap, but interesting) ....

xxxx://www.scriptlogic.com/products/serviceexplorer/

If spying on security call's is in your future, Notok had approval for this utility ....

xxxx://www.sysinternals.com/Utilities/Tokenmon.html


GF

 

Hi -

It's not that I am intimidated by the prospect of fleshing this out, but I believe there must be a much simpler method. I am basing this guess on something that I read that reviewed the most common reasons that windows XP will not shut down as it should. The author said, very off-handedly, something like, 'one common cause for a user profile to hang up during the saving settings phase of shut down is when services are being run by user's instead of by system or network service.' <-- sort of a clumbsy quote, but I wasn't paying much attention since they did not go on to explain how to change this, and I did not think I had any processes being run by anything but system.

[afterthough: maybe i should have added that it was because the way they said it made it sound like correcting that was a trivial matter]

...However...I seemed to have changed all that, without even trying.

in my event viewer I see this:

7035
"The Application Management service was successfully sent a start control."

Which does not sound so bad until I see that this is running under my user profile, not system, and it is followed by:

7036
"The Application Management service entered the stopped state."

ERROR-7023
"The Application Management service terminated with the following error:
The specified module could not be found."


I am hoping that this does not have to make sense to me in order for me to fix it. I will give it a go.


- HandsOff

 

Hand's,

I will say one thing before proceeding ....
I do not know the consequences of altering the account under which a service run's!

Open Services through Control Panel > Help > Help Topic's > Services > How To ... here it will be explained.


GF

 

I am a little closer to a solution. And the process that is responsible is Lsass.exe. that doesnt tell me everything, but I am close.

-HandsOff

PS - i am pretty sure this is not related to sasser, or Lsass exploit.