|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70961 Allow service control from less privileged process
Submitted: 2015-11-23 20:26 UTC Modified: 2018-10-08 18:39 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: bdagnin at incontrol dot co dot nz Assigned: jbnahan (profile)
Status: Closed Package: win32service (PECL)
PHP Version: 5.5.30 OS: Windows
Private report: No CVE-ID: None
 [2015-11-23 20:26 UTC] bdagnin at incontrol dot co dot nz
Currently to start or stop a service, the PHP application must run with administrator level privileges.
This patch allows a less privileged process (eg: running under IIS application pool identity) with a sufficient DACL grant on the service to be able to start or stop it.

It works for me with a minimal explicit 'RPWPRC' grant on the service.

Please be careful when modifying a service ACL - recovery could become tricky.
The 'sc sdset' command overwrites the entire ACL - you must specify the full ACL, not just additions (use 'sc sdshow' to see the current one).

For reference "Best practices and guidance for writers of service discretionary access control lists":
The Sysinternals utility "PsGetsid.exe" can be used to determine the SID of an IIS application pool identity -

The patch is based on the v0.1.0 svn tag:


permit-service-acl.patch (last revision 2015-11-23 20:27 UTC by bdagnin at incontrol dot co dot nz)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-08 18:39 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: jbnahan
 [2018-10-08 18:39 UTC]
The 0.3.0 release can run service without admin right.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jan 20 21:01:24 2020 UTC