You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

03: How to Allow a Non-Admin user to manage a specific Service using SC.EXE with Least Privilege Manager

The steps in the example below will allow a Non-Admin user to manage the Remote Registry service using the SC.EXE command.

Before you start, you can pre-test that a standard user cannot use the command line to start the service.

Use command sc config remoteregistry start=auto to start your test.



1. Create an LPM Combo rule using Path and Command line.
2. For the Path use: C:\Windows\System32\sc.exe


3. For the Command line use: the syntax:  * ServiceName*

So Star * space ServiceName*  like 

* RemoteRegistry*

to ensure that both Strict equality and Ignore argument case options are checked as in the screenshot below.

Note: You can use services.msc and look at the properties of an individual service to get the ServiceName, or you can use the “sc query” command from CMD to get the ServiceName.




Next, apply the policy to the user(s) or computer(s) that need to receive the policy, and then test from a CMD prompt as a standard non-admin user to see if you can manage the Remote Registry service using the SC.EXE command:

Since the Remote Registry service is disabled by default we first need to enable the service and choose its startup type.

SC Config RemoteRegistry Start=Auto

Then you can try to START the service.

SC Start RemoteRegistry


And to STOP the service.

SC Stop RemoteRegistry


And lastly to disable the service.
SC Config RemoteRegistry Start=Disabled



XML for policy is attached below which you may use as an example.

 
  • 1318
  • 08-Mar-2024
  • 330 Views