Video Screencast Help
Endpoint Virtualization Community Blog

Installing a Service that Logs in as a User Account in a Layer

Created: 10 Mar 2006 • Updated: 29 Jul 2010
Jeremy_Hurren's picture
0 0 Votes
Login to vote

For security reasons, layers don't store passwords. So, how do you create a layer that starts a service on activation that requires a password? Jeremy Hurren takes us under the hood for this workaround.

Because of the way that SVS virtualizes services, it does not store the password information necessary to log on as a service. So if you are installing software that has such a service into a layer, it will work the first time you run it, but after deactivating it and activating it again the service won't be able to start. The underlying technical reason is that SVS has to delete and create the service repsectively during the deactivation and activation. Because SVS doesn't want to expose any password information, it doesn't store that information in the layer, and therefore cannot use it to recreate the service during activation.

There are two different solutions that can work here. First would be to change the service you are installing to log on as one of the built-in accounts that don't require password information: LocalSystem, LocalService, or NetworkService. (The latter two do not exist on Windows 2000.) This option is only recommended if you know that running the service under one of these accounts will not cause issues. Most services that want to run under a specific account do so for a reason: the built-in accounts don't have sufficient rights to do what they need to do, or there is a security reason for running under a reduced privilege account.

The second option to solve the problem involves setting up a script to adjust the layer after it is activated. This adjustment sets the password and then starts the service. This can also be a security issue, since it means that the password for that user account is stored in the layer and could be accessed by other users. This option requires you to create an OnPostActivate entry for the layer in question, adding command(s) similar to the following:

[HKEY_LOCAL_MACHINE\System\Altiris\FSL\1]
OnPostActivate (REG_MULTI_SZ):
 w,svscmd.exe <layer-id> exec -path "C:\Windows\system32\sc.exe config <service-name> password= <account-password>"
C:\WINDOWS\system32\sc.exe start <service-name>
 

The "w," at the beginning of the first line makes the system wait until that command is finished executing before continuing to the next one. Running the command via svscmd's exec command makes the change in the layer, not the base system, which is exactly what we want. Note that sc.exe does not exist on Windows 2000, but the technique could still be applied with some other tool that allows you to change the password for a service.

For the security conscious, the same technique could be used to launch a home-made application to prompt the user for the service password. The application would then have to launch the sc.exe command to set the password in the layer. This method would not leave the password in the registry for exploitation.

For more information about modifying values in the FSL key, see the tip Auto-Closing Applications Running from a Layer.