7

I am new to windows services programming. I have confusion about what to set the Account type while writing a windows services.

How to choose or how to determine to which account type we need to set while writing a service?

Damian
  • 2,582
  • 1
  • 26
  • 28

2 Answers2

8

We generally create special windows (local for local only access or domain account for things that need to authenticate accross the network) accounts to run custom services. This way we can restrict and lock down the permissions to make sure it only has access to what we need. You can also see which specific users are culprits or resource hogging with monitoring on a shared server.

As for the built in accounts...

Local System:
The built-in LocalSystem user account has a high level of access privileges; it is part of the Administrators group.
Network Service:
The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account.
Local Service:
The built-in Local Service user account has fewer access privileges on the computer than the Network Service user account, and those user privileges are limited to the local computer. Use the Local Service user account if the worker process does not require access outside the server on which it is running.

Source(s): Microsoft Technet

ergohack
  • 1,156
  • 13
  • 25
Jay
  • 2,615
  • 1
  • 29
  • 53
  • Thanks Jay. Can you give some example senarios where we run the service in localservice account. Thank you. –  Aug 20 '09 at 11:49
  • The easiest thing would be to look in your PC's Services console...IN vista/XP its in Admin Tools - Services. From here you can sort on the "Logon On As" column and look for the types of services started for each account. A simple example of this is the UPnP detection service which hosts uPNP devices on your local PC. This service only requires limited access so Microsoft uses the "Local Service" account. – Jay Aug 20 '09 at 16:23
4

LocalSystem

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function.

It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

NetworkService

The NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network.

This account can be specified in a call to the CreateService and ChangeServiceConfig functions. Note that this account does not have a password, so any password information that you provide in this call is ignored. While the security subsystem localizes this account name, the SCM does not support localized names. Therefore, you will receive a localized name for this account from the LookupAccountSid function, but the name of the account must be NT AUTHORITY\NetworkService when you call CreateService or ChangeServiceConfig, regardless of the locale, or unexpected results can occur.

A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers. By default, the remote token contains SIDs for the Everyone and Authenticated Users groups. The user SID is created from the SECURITY_NETWORK_SERVICE_RID value.

The NetworkService account has its own subkey under the HKEY_USERS registry key. Therefore, the HKEY_CURRENT_USER registry key is associated with the NetworkService account.

Sanjay Dwivedi
  • 699
  • 7
  • 8