On Tue, Nov 8, 2016 at 11:36 AM, Tsunakawa, Takayuki
<tsunakawa.takay@jp.fujitsu.com> wrote:
> SECURITY_SERVICE_RID
> Accounts authorized to log on as a service. This is a group identifier added to the token of a process when it was
loggedas a service. The corresponding logon type is LOGON32_LOGON_SERVICE.
>
> I saw descriptions that LocalSystem is used by the SCM, but didn't find a statement that LocalSystem is used only by
SCMand services. In addition, if the check for LocalSystem is really necessary, LocalService and NetworkService also
needto be checked.
>
> https://msdn.microsoft.com/ja-jp/library/windows/desktop/ms684190(v=vs.85).aspx
That's what I looked at as well :) And this part is what caught my
attention, meaning that it is not used by anything else than the SCM:
"The LocalSystem account is a predefined local account used by the
service control manager."
And this implies, at least it seems to me, that trying to run Postgres
as this user is actually not something you'd want to do.
> (2)
> The OP wants to explicitly run postgres.exe outside the service even when his app runs as a service, so that the app
canread postgres's messages from its stdout/stderr. So, he disabled SECURITY_SERVICE_RID when starting postgres.exe.
Hisusers may run his app as a service under LocalSystem.
Good question, and I don't know how this is used.
--
Michael