Is there a way to prevent read and/or write access to a specific folder in Windows and grant only a specific service/process access to it?
It seems that permissions are user-based and not service-based but I’d like to know if there is a way to achieve such a functionality anyway.
Yes, there is a way to do this in Windows 7, although it may be necessary to reconfigure the service which introduces a (probably fairly small) risk of introducing a compatibility problem.
The security ID associated with a service can be referenced as
servicename is replaced with the actual name of the service (shown as “Service name” in the Services administrative tool, and distinct from the display name shown in the main list of services). If you’re using the GUI to change security settings, and the machine is joined to a domain, you’ll need to change the search scope to the local computer. Also note that this only works for services that are currently installed.
You can determine the SID associated with a particular service name, whether or not such a service is installed, using the
sc showsid command:
C:working>sc showsid wjkjk NAME: wjkjk SERVICE SID: S-1-5-80-492907775-8774055-3223757035-3566066944-1037782649
If you are setting security on a file or folder using the
icacls command you can specify a SID by prefixing it with
In order for the service to access files using this security ID, it has to be configured with a service SID type of either “unrestricted” or “restricted”. If it is configured with a service SID type of “none” the service SID will not work. You can check the service SID type of an installed service with the
sc qsidtype command:
C:working>sc qsidtype wuauserv [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: wuauserv SERVICE_SID_TYPE: UNRESTRICTED
If the service type is “none” you can change it to “unrestricted” using the
sc sidtype command:
C:working>sc qsidtype psexesvc [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: psexesvc SERVICE_SID_TYPE: NONE C:working>sc sidtype psexesvc unrestricted [SC] ChangeServiceConfig2 SUCCESS C:working>sc qsidtype psexesvc [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: psexesvc SERVICE_SID_TYPE: UNRESTRICTED
This will not take effect until the service is restarted.
Note: you should not change the SID type of a service from “none” to “restricted”. Doing so will almost certainly cause the service to malfunction. Changing the type from “none” to “unrestricted” is much less likely to cause any problems. If the service SID type is already “restricted” or “unrestricted” you should not change it.
There is a pseudo “user” called
SERVICE that all services use so you can simply restrict access by only allowing this “user” access.
However, this is not quite what you asked since this isn’t a single specific service, it is all services. There is no default mechanism to restrict to a single service though it may be possible with some considerable faffing around trying to force a service to use a different ID on startup – I wouldn’t recommend it.