Svcacls.exe: Service ACL Editor Topics | Next

Service ACL Editor Syntax

svcacls [\\TargetComputer\]Service [Options]

Where

TargetComputer

is the UNC name of the computer on which permissions are to be determined. It must be followed with a backslash before the name of the service.

Service

is the name of the service for which permissions are to be determined.

Options

include:
G[rant]:Trustee:Permissions (adds permissions)
S[et]:Trustee:Permissions (replaces permissions)
R[evoke]:Trustee (removes whatever explicit permissions have been given)
D[eny]:Trustee (does not allow any access to the object regardless of any other permissions)
You can use more than one option on one line, for example:
svcacls browser r:username g:username:riu

 

Caution

Use Deny with extreme care, as it is possible to lock even administrators out of a service with an option such as D:everyone.

Trustee

is the user to whom the permissions apply. If a trustee name contains spaces, you must use double quotes around it.

Permissions

include specific permissions and generic permissions.

Specific permissions:

Q: Query Service Configuration             	(SERVICE_QUERY_CONFIG)
S: Query Service Status                    	(SERVICE_QUERY_STATUS)
E: Enumerate Dependent Services            	(SERVICE_ENUMERATE_DEPENDENTS)
C: Change Service Configuration            	(SERVICE_CHANGE_CONFIG)
T: Start Service                           	(SERVICE_START)
O: Stop Service                            	(SERVICE_STOP)
P: Pause/Continue Service                  	(SERVICE_PAUSE_CONTINUE)
I: Interrogate Service with ControlService()(SERVICE_INTERROGATE)
U: Allow User-Defined Control Commands     	(SERVICE_USER_DEFINED_CONTROL)

Generic permissions:

F: Full Control               (SERVICE_ALL_ACCESS = QSECTOPIU)
R: Generic Read               (GENERIC_READ       = QSE)
W: Generic Write              (GENERIC_WRITE      = C)
X: Generic Execute            (GENERIC_EXECUTE    = TOPIU)