I'm using CreateService to install a windows service on Windows XPE. I'd like to set things up so that only the Administrator can start/stop/pause/resume the service.
Right now I'm using the following to install the service:
schService = CreateService(schSCManager,
ServiceName,
ServiceDisplayName, // service name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_WIN32_OWN_PROCESS, // service type
SERVICE_AUTO_START, // start type
SERVICE_ERROR_NORMAL, // error control type
binaryPathName, // service's binary (this program)
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL); // no password
And the service ends up with security such that members of the PowerUsers group can start and stop the service. I've figured out that I can use sc sdshow to examine the security descriptor, and I've worked out an SDDL line that would do the right thing for us.
I've also learned that our Win XPE install doesn't have the sc.exe binary on it, so we can't really use that to setup this particular system.
So, what I need to know is: What are the APIs I need to use, to set the security descriptor on this service around the time I do the CreateService call. I'm completely unfamiliar with the Windows security APIs, so I just don't know where to start.
UPDATE: The answer is SetServiceObjectSecurity (below). Next question: What's the best way to setup the SecurityDescriptor? Is it best to get the default descriptor, then modify it? Or should I just create a completely new descriptor?