Disabling components in Services.msc
Hi
Does any one know how to disable (Not able to Stop / Start / Kill) the individual services under Services.msc. I tried SC Command but doesn't help much.
If anybody know what arguments or parameters to add in MSI which can facilitate to disable the services Example RPC...
I need a answer vry urgently. If any one have a idea to SHARE, it will be great.
Thanks
Sam
Does any one know how to disable (Not able to Stop / Start / Kill) the individual services under Services.msc. I tried SC Command but doesn't help much.
If anybody know what arguments or parameters to add in MSI which can facilitate to disable the services Example RPC...
I need a answer vry urgently. If any one have a idea to SHARE, it will be great.
Thanks
Sam
0 Comments
[ + ] Show comments
Answers (12)
Please log in to answer
Posted by:
rpfenninger
18 years ago
Sam
Do you want to protect all your services from being stopped or disabled by your users or only a few of them?
We managed to protect the four services that come with McAfee VirusScan from being stopped. Therefore we deployed an msi which ran a VB Script that put those settings from an sdb-file to the workstation.
Is this what you want?
Let me know
Roland
Do you want to protect all your services from being stopped or disabled by your users or only a few of them?
We managed to protect the four services that come with McAfee VirusScan from being stopped. Therefore we deployed an msi which ran a VB Script that put those settings from an sdb-file to the workstation.
Is this what you want?
Let me know
Roland
Posted by:
Robb Thomas
18 years ago
Could you not use a custom action to run:
NET STOP "The Service Name Goes Here"
as well there's the ever popular:
NET START "The Service Name Goes Here"
Net.exe is usually located in your system32 directory. The "'s are important if your service has spaces in the name.
Kindest Regards,
---- Robb -----
NET STOP "The Service Name Goes Here"
as well there's the ever popular:
NET START "The Service Name Goes Here"
Net.exe is usually located in your system32 directory. The "'s are important if your service has spaces in the name.
Kindest Regards,
---- Robb -----
Posted by:
Robb Thomas
18 years ago
Oh, almost forgot, to disable the service, you can do this using Registry Key Entries.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
Start = 2 <- automatically start the service
Start = 3 <- Does not run during startup (you'd have to "Net Start Remote Procedure Call (RPC)"
If 'something' specifically needs this services it will start.
Start = 4 <- Service is disabled.
So you'd use the Net Stop to stop the service, then the above would let you change how the service runs at startup.
Regards,
---- Robb ----
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
Start = 2 <- automatically start the service
Start = 3 <- Does not run during startup (you'd have to "Net Start Remote Procedure Call (RPC)"
If 'something' specifically needs this services it will start.
Start = 4 <- Service is disabled.
So you'd use the Net Stop to stop the service, then the above would let you change how the service runs at startup.
Regards,
---- Robb ----
Posted by:
Sathia
18 years ago
Hi Robb Thomas,
Thanks for you reply.
Please under my requirement is Disabling of Stop / Start (to make it gray)buttons the individual services under Services.msc
I doesn't want to stop or disable to service.. Service should be keep running. But i don't want users to entertain stoping or starting the services. for example On XP OS if you look at RPC, you will be able understand about my question.
Thanks buddy,
Thanks for you reply.
Please under my requirement is Disabling of Stop / Start (to make it gray)buttons the individual services under Services.msc
I doesn't want to stop or disable to service.. Service should be keep running. But i don't want users to entertain stoping or starting the services. for example On XP OS if you look at RPC, you will be able understand about my question.
Thanks buddy,
Posted by:
Robb Thomas
18 years ago
The easiest approach would be to remove the desktop administrative or Power User rights from the users.
Another possibility could be a Group Policy that you could deploy to deny access to system services. I do not know of such a policy.
Change the Permission on the MSC file so that the users are denied read access to the file.
Deploy a hacked up version of the MSC file. As I understand it, microsoft has rigged MSC files so that you can edit them, and or remove / add your own functions to them. I have never done this, and therefor cannot help you more in this.
That's about all I can think of.
Regards,
---- Robb ----
Another possibility could be a Group Policy that you could deploy to deny access to system services. I do not know of such a policy.
Change the Permission on the MSC file so that the users are denied read access to the file.
Deploy a hacked up version of the MSC file. As I understand it, microsoft has rigged MSC files so that you can edit them, and or remove / add your own functions to them. I have never done this, and therefor cannot help you more in this.
That's about all I can think of.
Regards,
---- Robb ----
Posted by:
Sathia
18 years ago
Dear Robb,
Thanks for your time.
I do practice the same as you recommended. But the worst scenario is, those pc are legacy, not likely to upgrade to SOE. Tot of any one have experienced this before.
No choice, I will see what i can do my best.
Thank you again for sharing you time and knowledge.
Thanks for your time.
I do practice the same as you recommended. But the worst scenario is, those pc are legacy, not likely to upgrade to SOE. Tot of any one have experienced this before.
No choice, I will see what i can do my best.
Thank you again for sharing you time and knowledge.
Posted by:
AngelD
18 years ago
Sounds like your users are local admins as only administrators can manage services, is this true?
Posted by:
rpfenninger
18 years ago
Nope. Our users are 'Power Users' but no 'Administrators'.
But the VB Script (that installs the .sdb file which locks down the services) is being executed in the system context (deferred execution) of the msi, that's why it works...
But the VB Script (that installs the .sdb file which locks down the services) is being executed in the system context (deferred execution) of the msi, that's why it works...
Posted by:
Sathia
18 years ago
Hi Ronald,
You are right. We don't want to disable all of the services at this moment. But i can recommend that to my Project. The scenario is "All of the users have local admin rights" but they are not an administrators. They can play/stop any services on their Local Machine. Due to some security is concern, we don't want them to stop Antivirus services at any situation.
I think your recommendation should work." We managed to protect the four services that come with McAfee VirusScan from being stopped. Therefore we deployed an msi which ran a VB Script that put those settings from an sdb-file to the workstation".
Are you able to guide me how shall go about doing it. Or if possible can you send me the VB Script file and sdb file to jsathia@hotmail.com.
I Appreciate you reply and give you 2 scores..
Thank you
You are right. We don't want to disable all of the services at this moment. But i can recommend that to my Project. The scenario is "All of the users have local admin rights" but they are not an administrators. They can play/stop any services on their Local Machine. Due to some security is concern, we don't want them to stop Antivirus services at any situation.
I think your recommendation should work.
Are you able to guide me how shall go about doing it. Or if possible can you send me the VB Script file and sdb file to jsathia@hotmail.com.
I Appreciate you reply and give you 2 scores..
Thank you
Posted by:
rpfenninger
18 years ago
Hi Sam
I didn't realize that all your users have local administrator rights. (Or what exactly do you mean with "All of the users have local admin rights but they are not an administrators")?
I'm not sure if this is going to work as it is pretty hard to lock an administrator down.
In our company all the users are only Power Users. They do have the ability to change the state of a service. This is why we locked the McAfee services down.
I hope that it works in your environment as well.
Roland
BTW: Thanks for the rating!
I didn't realize that all your users have local administrator rights. (Or what exactly do you mean with "All of the users have local admin rights but they are not an administrators")?
I'm not sure if this is going to work as it is pretty hard to lock an administrator down.
In our company all the users are only Power Users. They do have the ability to change the state of a service. This is why we locked the McAfee services down.
I hope that it works in your environment as well.
Roland
BTW: Thanks for the rating!
Posted by:
Sathia
18 years ago
Hi Roland,
Thanks a lot for your effort for sending those files.
but i couldn't edit sdb file..
do you have any idea how to create the file, if so i can create and test it out.
Any way thanks again.
Thanks a lot for your effort for sending those files.
but i couldn't edit sdb file..
do you have any idea how to create the file, if so i can create and test it out.
Any way thanks again.
Posted by:
rpfenninger
18 years ago
Hi Sam
Ok, I try to translate my German manual I created for myself for those tasks:
First of all you can convert the .sdb file to a readable .inf file by using the following command line:
C:\Windows\security\Database> secedit /export /db "file.sdb" /cfg "yourname.inf"
---> secedit is the command (for more information)
To create your very own .sdb file first open an mmc.
Load the two security SnapIns (they should be called something like Security Templates and Security Configuration)
Create a new Security Template
Set your rights as expected (this works for filesystem, registry and services)
Save the template. You get an .inf file in C:\Windows\security\templates
Then in the other SnapIn (Security Configuration) choose to open a database. Browse to your .inf file
Provide a name for your new .sdb file and click the option for cleaning up the database before the import.
So you get the .sdb file in %USERPROFILE%\My Documents\Security\Database
You can then test your .sdb file by choosing "Configure Computer Now" in the context menu of the mmc. Let the program write a log so you can check if everything worked as expected.
That's it
Hope that this works for you
Roland
Ok, I try to translate my German manual I created for myself for those tasks:
First of all you can convert the .sdb file to a readable .inf file by using the following command line:
C:\Windows\security\Database> secedit /export /db "file.sdb" /cfg "yourname.inf"
---> secedit is the command (for more information)
To create your very own .sdb file first open an mmc.
Load the two security SnapIns (they should be called something like Security Templates and Security Configuration)
Create a new Security Template
Set your rights as expected (this works for filesystem, registry and services)
Save the template. You get an .inf file in C:\Windows\security\templates
Then in the other SnapIn (Security Configuration) choose to open a database. Browse to your .inf file
Provide a name for your new .sdb file and click the option for cleaning up the database before the import.
So you get the .sdb file in %USERPROFILE%\My Documents\Security\Database
You can then test your .sdb file by choosing "Configure Computer Now" in the context menu of the mmc. Let the program write a log so you can check if everything worked as expected.
That's it
Hope that this works for you
Roland
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.