Problem Overview: I have developed a Windows executable that requires administrative privileges to modify the system registry (e.g., disabling USB ports, CD-ROM drives, and network access). To ensure these changes are applied immediately after boot, I created a Windows service to start this executable at system startup.
Details:
Executable Requirements: Must run with administrative privileges to modify the registry. Service Configuration: Runs under the LocalSystem account (which has admin privileges). Set to start automatically at boot. Issue Encountered: The service starts successfully at boot, but when it attempts to run the executable, User Access Control (UAC) blocks it. Windows policies prevent the automatic sharing of elevated privileges between the service and the executable. Technical Details:
OS: Windows Service Account: LocalSystem Observed Behavior: UAC blocks the executable when triggered by the service. Potential Causes:
User Access Control (UAC): Prevents the executable from inheriting administrative privileges from the service. Privilege Elevation Policy: Windows security policies may prevent services from passing admin rights to child processes.
Steps Taken:
Created a Windows service to start the executable. Configured the service to run under the LocalSystem account. Tested the setup, observing that the executable is blocked by UAC. Challenges with Solutions Explored:
Task Scheduler: Requires admin password at login, which is not feasible. Service Interaction with Desktop: Potential security risks; not fully explored. Code Signing: Being considered to reduce UAC prompt severity. Adjusting UAC Settings: Not viable due to security concerns. Request for Assistance: I need guidance on best practices for allowing a service to start an executable with admin privileges without being blocked by UAC or requiring user intervention. Any alternative solutions that maintain security while ensuring functionality are also welcome.
Top comments (0)