vdrake
Posts: 12
Joined: Tue Aug 17, 2021 3:25 am

SeServiceLogonRight not revoked from user on uninstall

Tue Aug 17, 2021 3:49 am

I've been modifying my Advanced Installer script to offer an alternative to installing our service with the highly-privileged LocalSystem account.
I've successfully gotten the installer to install the service with an existing local/domain account as well as a new local account (created by the installer).

The problem is that the SeServiceLogonRight privilege is not revoked from the account after uninstalling my product.
This is especially ugly in the case of a new account. After persisting new local user account, the uninstall process successfully removes the local account, but the Local Security Policy / Local Policies / User Rights Assignment / Log on as a service displays the removed account's SID

At what point in the uninstall should this privilege be removed?
Must I do something else to clean this up properly?

Liviu
Posts: 1034
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: SeServiceLogonRight not revoked from user on uninstall

Thu Aug 19, 2021 2:40 pm

Hi,

I'm afraid that this is the default implementation, we just don't remove it on uninstall.

You can try using a custom action configured to run under "Install Execution Stage" on uninstall to remove this privilege.

This custom action could, for example, launch a batch file that deletes the privilege.
Have a look on this article: How can I edit local security policy from a batch file?
SeDenyServiceLogonRight may be what you need.


Hope this helps! If you have any other questions please don't hesitate to contact us.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

vdrake
Posts: 12
Joined: Tue Aug 17, 2021 3:25 am

Re: SeServiceLogonRight not revoked from user on uninstall

Thu Aug 19, 2021 10:12 pm

Thanks liviu! I'll check out the script option you've linked.

Liviu
Posts: 1034
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: SeServiceLogonRight not revoked from user on uninstall

Fri Aug 20, 2021 7:11 am

You are always welcome!

Please let us know if there is anything else we could help you with and we will gladly assist.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”