새로운 미용실을 가다.

It is almost impossible to prevent administrators from stopping services.
But there are some ways to make it difficult for them.

1. Ignoring the stop notification

SetServiceStatus

If you call this function without 'SERVICE_ACCEPT_STOP' in dwControlsAccepted member in SERVICE_STAUS structure, the service ignores the stop notification.

1. Chaning the access control on the service

// Get an acl of the service

  ATL::CDacl dacl;
  bool result = ATL::AtlGetDacl(L"serviceName", SE_SERVICE, &dacl);


// Traverse all access masks

  for (UINT index = 0; index < count; ++index) {
    CSid aceSid;
    ACCESS_MASK mask = 0;
    BYTE type = 0;
    BYTE flags = 0;
    GUID objectType;
    GUID inheritedObjectType;
    dacl.GetAclEntry(index, &aceSid, &mask, &type, &flags, &objectType, &inheritedObjectType);

}

// Change & Set acess mask

// Remove old ace
dacl.RemoveAce(speciifcIndex);
// Remove permissions(SERVICE_CHANGE_CONFIG & SERVICE_STOP)
specificMask &= ~SERVICE_CHANGE_CONFIG; 
specificMask &= ~SERVICE_STOP;
// Add new ace
 result = dacl.AddAllowedAce(specificSid, specificMask, specificFlags);

SubInACL

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

http://technet.microsoft.com/en-us/library/cc784886(v=ws.10).aspx

-  Logon and Authentication Technologies

-  Authorization and Access Control Technologies

-  Data Security Technologies

-  PKI Technologies

-  Trust Technologies

Automate Permissions and Manage ACLs

https://setacl.svn.sourceforge.net/svnroot/setacl/code/

https://setacl.svn.sourceforge.net/svnroot/setacl/documentation/

location