While I usually run as a normal user on Windows and elevate permissions as needed, sometimes this just doesn’t cut it. Today I needed to be able to start and stop a windows service as a normal user running a piece of code (actually it’s a integration test). With UAC enabled, even though I was an administrator, I still couldn’t access the service. After a bit of searching, I came across the following Server Fault question, which had an accepted answer.

1. Get the existing security descriptor using “sc sdshow Servername” from an Administrative command prompt. If the service has spaces in it, surround it in quotes. This will output something like:

**D:**(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)**S:**(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

I bolded the D: and S: to denote their importance for step 3 and 4.

2. Get the SID for the account you want to grant access to. I was able to use the same command prompt because I was running it as me, just with elevated permissions. If you need to do this for a different user, you will either have to log in as them, or use a different tool if you can’t log in as them.

c:>whoami /all

3. Insert the following into the string you got in step 1. Make sure to replace the sid below with the sid you got in step 2. Also, this must be inserted before the S: in the string obtained in step 1.

(A;;RPWPDT;;;S-1-5-21-0000000000-0000000000-0000000000-0000)

4. Run from an administrative command prompt

sc setsd “servicename” sc sdset "servicename" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)**(A;;RPWPDT;;;S-1-5-21-0000000000-0000000000-0000000000-0000)**S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 

I’ve bolded the string from step 3 that was inserted. There is a space after “servicename” but none after that.

This page talks about the different options you can set.