Windows Service running as LocalSystem and NT AUTHORITY\SERVICE RRS feed

  • Question

  • We need a way to check whether the process is Windows service. For this we check process token for the presense of NT AUTHORITY\SERVICE group. It works except for when service is running as LocalSystem: then NT AUTHORITY\SERVICE group is not present in the process token. But if you look at the process token with ProcessExplorer it shows that this group is still present. Are we using the wrong API to get process token groups?
    Wednesday, August 26, 2009 4:02 AM

All replies

  • Have you considered querying the service control manager for the information you need?
    Mattias, C# MVP
    Wednesday, August 26, 2009 7:16 AM
  • You could use the parent process ID, which for services will always be the ID of the Server.EXE process (since all services get started by server.exe). You could also use WMI to get a list of all the services on the box (\\.\root\cimv2:Win32_Service), look at the process id property and see if it matches the process ID of process you are trying to analyse.
    Wednesday, August 26, 2009 7:55 AM
  • Actaully on my Windwos 7 box the parent of the service process is service.exe.

    SO, back to my original question: what does ProcessExplorer do to get NT AUTHORITY\SERVICE membership of LocalSystem account?

    Friday, August 28, 2009 10:51 PM
  • Unless there is an API AmIAService that I cannot find - no.
    Friday, August 28, 2009 10:52 PM
  • I think the best would be to enumerate the services.  It seems that the function EnumServicesStatusEx() is just what you need.  It is no AmIAService() call, but it will do, I think.  It basically goes through all services and it returns a structure filled with data about each service.  A piece of that data is the process ID.  You could continue to enumerate all services until one with the expected process ID appears, or until you run out of services to enumerate.

    You'll need to open a handle to the Service Control Manager.  You can probably use OpenSCManagaer().

    Here's a link:  http://msdn.microsoft.com/en-us/library/ms682640%28VS.85%29.aspx.
    Sunday, August 30, 2009 7:13 PM
  • The easiest way to enumurate all the service is using a WMI class. The following sample code shows how to get a list of all the services running on a pc, the username that the service runs under and also the process id of the service process:

    //txt_ServerName should be "." if looking at local machine
    ManagementPath mp = new ManagementPath(@"\\"+txt_ServerName+@"\root\cimv2:Win32_Service");
    ManagementClass mc = new ManagementClass(mp);
    ManagementObjectCollection obj = mc.GetInstances();
    foreach(ManagementObject o in obj)
    	//the "Name" property contains the name of the service and the "StartName" property contains the longon for the service
    	Console.WriteLine("On {0} Service Name = {1}, Username = {2}, ProcessID = {3}",txt_ServerName, o["Name"], o["StartName"], o["ProcessId"]);
    Hope this helps.
    Thursday, September 3, 2009 11:41 PM
  • While I think this will work I still want the answer to my original question. Why a service running as LOCAL SYSTEM does not have NT AUTHORITY\SERVICE group in the token?

    Thursday, September 3, 2009 11:58 PM