SERVICE_SID_INFO structure

Represents a service security identifier (SID).

Syntax

typedef struct _SERVICE_SID_INFO {
  DWORD dwServiceSidType;
} SERVICE_SID_INFO, *LPSERVICE_SID_INFO;

Members

dwServiceSidType

The service SID type.

Value Meaning
SERVICE_SID_TYPE_NONE
0x00000000
Use this type to reduce application compatibility issues.
SERVICE_SID_TYPE_RESTRICTED
0x00000003
This type includes SERVICE_SID_TYPE_UNRESTRICTED. The service SID is also added to the restricted SID list of the process token. Three additional SIDs are also added to the restricted SID list:
  • World SID S-1-1-0
  • Service logon SID
  • Write-restricted SID S-1-5-33
One ACE that allows GENERIC_ALL access for the service logon SID is also added to the service process token object.

If there are multiple services hosted in the same process and one service has SERVICE_SID_TYPE_RESTRICTED, all services must have SERVICE_SID_TYPE_RESTRICTED.

SERVICE_SID_TYPE_UNRESTRICTED
0x00000001
When the service process is created, the service SID is added to the service process token with the following attributes: SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_OWNER.

Remarks

The change takes effect the next time the system is started.

The SCM adds the specified service SIDs to the process token, plus the following additional SIDs.

SID Attributes
Logon SID SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_LOGON_ID | SE_GROUP_MANDATORY
Local SID SE_GROUP_MANDATORY | SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT
 

This enables developers to control access to the objects a service uses, instead of relying on the use of the LocalSystem account to obtain access.

Use the LookupAccountName and LookupAccountSid functions to convert between a service name and a service SID. The account name is of the following form:

NT SERVICE<i>SvcName

Note that NT SERVICE is the domain name.

Requirements

   
Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Header winsvc.h (include Windows.h)

See Also

ChangeServiceConfig2

QueryServiceConfig2