Stopping a service in Windows

Is there a way to stop a service so that the OS views it as being stopped by a specific user accoun instead of NT AUTHORITY? I want to be able to do this so only a specific account can disable a security service I have running

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

RussS

Right click on My Computer and select Manage. Down the bottom is Services and Applications - pick the service - right click and stop.

sprkymrk

gojericho0 wrote:

Is there a way to stop a service so that the OS views it as being stopped by a specific user accoun instead of NT AUTHORITY? I want to be able to do this so only a specific account can disable a security service I have running

I don't think so. I believe anyone with admin rights on the computer can stop and/or disable any service. I don't know of any registry tweaks that might change this. However, if you are auditing logon/logoff events, you should be able to corollate a logon event with the time the service was stopped/disabled. The logon type will show you whether it was done from the console (Logon Type 2) or from across the network (Type 3), or Remote Desktop (type 10).

Are you asking because someone is disabling the AV scans or something?

Just rip away their admin rights.

gojericho0

The reason I'm asking is because I have a CSA security agent on all client machines. This agent uses a service I do not want disabled except for when I want to uninstall the CSA agent to push out a new agent kit or if the clients lost connection to the server and I couldn't disable the rules. I was hoping I could give permission to a specific account privledge to do this, but currently the agent views NT AUTHORITY\System as trying to stop the service and denies it access. Therefore no one can stop the service which is definetly bad

I suppose I could let anyone that has admin rights the ability to disable the service and do the audit like you suggested. I just am kind of paranoid about a user with admin rights just disabling the service just to bypass the prevention system

Thanks for the responses, I am going to do some more research on net stop to see if I can do anything specific or maybe find a registry edit like you suggested

gojericho0

Just wanted to ressurect this thread because I found an answer to my ? and would like to share if people would like to use this for security reasons or any other use...

Right Click on the Service you would like to modify and Click Properties

Select the Log On Tab

From here you can use any domain or local account you would like to run the service

A couple of things I noticed while testing:

IF THE SERVICE IS DEPENDENT ON OTHER SERVICES OR VISE VERSA THE PROCESSES THAT YOU ARE TRYING TO RUN MAY NOT BE RECOGINIZED BY THE OS

IF YOU ARE USING A DOMAIN\LOCAL USER ACCOUNT AND THAT ACCOUNT CHANGES PASSWORS THE SERVICE MAY NOT RUN PROPERLY BECAUSE IT WILL NOT BE USING CURRENT CREDENTIALS