Start a windows service without elevation

Question 1

I followed torak link and I understand this key difference concerning rights in a service:

a service has rights concerning the "Run as" user
a service has different permission to control the service (i.e. to start/stop it)

So, to start the service I need to modify the service control permission.

Well, I have done a windows service called Service1 and I made an installer with WIX. During setup I call ServiceInstall

      <ServiceInstall Id="ServiceInstaller" Type="ownProcess" Vital="yes"
       Name="Service1" DisplayName="Service1"
       Description="Service1 description"Start="demand"
       Account="NT AUTHORITY\LocalService"
       ErrorControl="ignore" Interactive="no" >
      </ServiceInstall>

Then I have a client program called TestProgram where I try to start the service:

var service = new ServiceController("Service1");
service.Start();

And obviously it doesn't start the service without elevation of TestProgram (that runs under a normal user account).

So the solution is to instruct WIX to allow members of the user group (for example) to start/stop the service, using the PermissionEx tag:

<util:PermissionEx User="Users" ServiceStart="yes" ServiceStop="yes">
</util:PermissionEx>

Hope this helps. Thank you all.

Question 2

You can set the ACL for the service itself to allow this. The SetACL.exe utility makes this (somewhat) straightforward; e.g.:

SetACL.exe -on "MyService" -ot srv -actn ace -ace "n:S-1-5-32-545;p:start_stop"

This allows members of the Users group (S-1-5-32-545) to start and stop MyService.

Question 3

If i can add my 2 cents, here is my solution that wont require any complex App.Manifest or Windows Service modification.

The concept is simply to call "Net Start" through a process that is elevated :

public string StartServiceViaProcess(string param_strServiceName)
    {
        try
        {
            const int ERROR_CANCELLED = 1223; //The operation was canceled by the user.

            Process process = new Process();
            ProcessStartInfo startInfo = new ProcessStartInfo();
            startInfo.WindowStyle = ProcessWindowStyle.Hidden;
            startInfo.FileName = "cmd.exe";
            startInfo.Verb = "runas";
            startInfo.UseShellExecute = true;
            startInfo.Arguments = "/C net start " + param_strServiceName;
            process.StartInfo = startInfo;
            try
            {
                Process.Start(startInfo);
            }
            catch (Win32Exception ex)
            {
                if (ex.NativeErrorCode == ERROR_CANCELLED)
                    return "L'usager a annulé la demande d'exécution avec privilège.";
                else
                    throw;
            }
        }
        catch (Exception ex)
        {
            return ex.SI_ConvertToString();
        }
        return "";
    }

Question 4

I don't think you can do it - It is my understanding that this is due to security reasons. Allowing malware to automatically elevate itself would be problematic.

Question 5

This is the link that I followed and solved my issue.

How to Grant non-Administrators Rights to Manage Services

By default, common users with no system administrator privileges cannot manage Windows services. It means that they cannot stop, start or change the settings or permissions for such services. In some cases, it is necessary that a user had the permissions to restart or manage certain services. In this article, we’ll consider some ways to manage permissions for Windows services. In particular, we’ll show how to grant a standard user without administrative rights the permissions to start and stop a specific service...

There is no simple and convenient integrated tool to manage services permissions in Windows. We’ll consider some ways to grant a user permissions to manage service...