Starting services in batch file on windows 7
Solution 1
Download the Elevation PowerToys for Windows from Microsoft. You can then include scripts in your install process so that you can run from the batch file elevate net start servicename
and it will give them a UAC elevation prompt. As long as the user has administrative privileges on the computer or can get an administator to perform the elevation for them, it will run the command with elevated privileges and should work just fine. No need to specify a username or anything. There is a whole section in that article about creating a script that can detect if it is running with a sufficient access level, and if not, elevating itself.
Solution 2
Change the permissions of the myservice
service to allow it to be started by ordinary users.
An easy way to do this is to use Process Explorer: start the service, double-click on its process in ProcExp, open the Services tab, and use the Permissions button.
The hard way:
C:\>sc sdshow Schedule
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
The text displayed is a Security Descriptor String. Each (...)
element is an ACE string.
For example, appending this to the SD would allow Users to control the service:
(A;;GX;;;BU)
BU
is the SID string for Built-in Users group. For most purposes, granting GX
(GENERIC_EXECUTE
) should be enough.
Note: The "rights" in the ACE string don't seem to correspond in any obvious way to actual permissions given. For example, "Start service" is RP
(READ_PROPERTY
) and "Stop service" is WP
(WRITE_PROPERTY
).
Related videos on Youtube
PatH
Updated on September 17, 2022Comments
-
PatH over 1 year
I have a fairly simple batch file which does just one thing - "net start myservice". This batch file gets shortcut-ed in a program group by installer so that users can simply click on the icon and get things started (or stopped). All works well in XP for the users with admin rights. But things get hairy on Win7 as the batch need to be run "as administrator" explicitly and often users don't know this. So my question is how to make this friendly? Telling users to right click and run as admin on Win7 and simply click on XP is kind of weird twist. I need a smart automatic simple thingy.
I could probably use "runas/user:administrator" in the batch itself, but this "administrator" account might not be available on some machines. I'm looking for a universal solution for installing things like this on any Windows box.
Ideas? How would you do this?
-
Admin about 13 yearsThe Administrator account will be available on all systems, but indeed it could be locked or renamed. However,
runas
would be the proper thing to do, without compromising security.runas
also is a shell verb that can be used instead ofopen
inShellExecute
.
-
-
user1686 over 13 years@Dima: SetServiceObjectSecurity(), of course... Or SetNamedSecurityInfo(), which seems to be a newer replacement for the former.