UAC and Windows Services

2018-07-16 23:29:17

A user has a PowerShell script that does some things that require administrative access on Windows Server 2012 with UAC enabled.

When they run the script as a Local Administrator, it fails with access denied. But if they elevate their permissions and run the script as an administrator, it works. So far, so good.

Now, they have a custom Windows Service that runs the PowerShell script. The Windows Service is configured to run under the same Local Administrator account (i.e., not Local System/Network Service/etc.). The script fails with access denied, as if the account isn't an administrator. On older versions of Windows, the script works fine.

How does UAC apply in the world of Windows Services? I assumed that a Windows Service that was run under a custom local administrator account would always be "elevated", but in this case it seems that isn't true.

When they run the script as a Local Administrator, it fails with access denied.

Then this means that bein

  • When they run the script as a Local Administrator, it fails with access denied.

    Then this means that being a "Local Administrator" is not sufficient to run the script. This proves that "Local Administrator" does not cover the full set of rights on the machine. In the context of UAC, a "Local Administrator" does not have the full rights of an "administrator" (as seen by the OS), but, when it asks to do something which requires administrative rights, the UAC intercepts the call and instead of just unceremoniously rejecting the request with an error code, it prompts the user. If the user says "yes, go on", then the process is granted elevated rights. From the point of view of the process, everything works as if it had been a "true administrator" all along.

    Services do not run in a session, but "as a service". This means that there is no user to prompt. Therefore, UAC, as configured by default, cannot grant "true administrator" rights on demand.

    Apparently, you can configure UAC t

    2018-07-17 00:02:48
  • If there was a shortcut to obtaining administrative access then it would be a vulnerability. A windows service requires administrative access to setup. Once upon a time under windows all process ran with administrative rights, and no one should use these old systems. A "fully patched" NT4 system can be owned remotely. So even remote unauthenticated users have administrative rights on old windows systems!

    2018-07-17 00:08:27
  • When you belong to a group of local administrators on windows server or windows 7 0r 8 by default you are not given full admin token,for instance even as administrator on the machine when you run cmd.exe and click run as administrator you have to pass UAC ( secure desktop) when you say yes to the UAC prompt you are given full admin token for the process.Even explorer.exe on windows does not run with full admin rights,if you don't believe open administrative command prompt and in task manager kill explorer.exe and use this command psexec -h explorer.exe in the admin shell(cmd.exe) then when you click cmd in this new explorer.exe it will automatically run with admin rights without involving UAC,Leaving this example the above question can be solved simply by running the service under Local System Account,since this account does not belong to any security subsystem and UAC will never prompt you but do make your service non interactive and runs on Service-0x0-3e7$ windows station,it is th

    2018-07-17 00:14:41
  • UAC should not affect system services. Apart from this question, I can find no evidence that it ever does, and I have tested on Windows 7, Windows 10v1607 and Windows 10v1803 without being able to reproduce the problem.

    I conclude that either there is something unusual about your particular machine which is causing this to happen, or that your problem is being caused by something else, e.g., the service SID type is set to restricted, or you are running into an ACL that grants access only to INTERACTIVE.

    Any future readers who are experiencing this problem are welcome to email me if they would like assistance troubleshooting the issue. My email address is in my profile.

    2018-07-17 00:14:59