Service permissions to query or execute WMI commands on local machine.

Question

I have a device I plug into a USB port which shows as a composite device in Windows, one of which is a network adapter. I am writing a service to detect this adapter and assign a static IP to it. I'm using WMI to do this, in \root\CIMV2, finding the adapter with a query against Win32_NetworkAdapterConfiguration, and then invoking its EnableStatic method.

I don't really want this service to run as LocalService, so I'm looking for a way to give the required permissions to the service to perform the operation in the background whenever such a device is detected. The user should not have to elevate UAC, as may be in a domain controlled environment and not have the required admin permissions. Admin permissions are available to install the service of course.

Can someone recommend a good approach here? Is there a commandline tool I can run from the installer to give a service running under NetworkService permissions to query and execute some part of the WMI tree? Should I just run as LocalService?

Any advice would be appreciated.

Answer 1

Both the NetworkService Account and the LocalService Account have the privileges associated with users and authenticated users.

If you intend to use WMI and call methods that require elevated privileges then neither of these service accounts is a good choice. And, since services run in the non-interactive session 0 it would be impossible to respond to any elevation prompt.

Consequently, the LocalSystem Account may be needed for your service in order to use WMI methods that require elevated privileges. Presumably it would also be possible to use a special-purpose Administrator account that has been granted the "logon as a service" right.