The Settings Tab provides various options that control the service's runtime profile.
The following table describes the fields provided on the Settings tab.
| Fields | Description |
| General | |
| Interact with Desktop | When checked, this allows the service to interact with the desktop. The interactive components of the service are always displayed on the desktop of Session 0. You will need to switch desktop to Session 0 to view the interactive components. Interactive services can be run as the default service account (i.e. Localsystem) or can be run as a user with local or domain administrative user privileges. Interactive services will not work with any lower privileged account type (e.g. domain user). If you intend to run your services using non-privileged credentials, ensure you uncheck Interact With Desktop. Access to Session 0 is heavily restricted and may not be available on your Microsoft Windows Operating System. Please review in detail our various Session 0 Isolation knowledge base articles. |
| Show Window | The display mode of the interactive service. The following are options available:
|
| Job Type | Determines whether the service is to be placed in a Job Group at runtime. By placing the service in a Local or Global group, note that
Note: The actual scope of the Job Type is relevant only when the Windows Terminal Services server component is installed.A Terminal Services server has multiple namespaces for a variety of named kernel objects, including job objects. By default, all services are created in the Global scope. Local Jobs exist only in the current client session namespace to not interfere with other instances of the same program in other sessions. Job Type settings are as follows:
|
| Load Order Group | The name of the Load Order Group in which to place the service (if any). See Dependencies Tab for details about how Load Order Groups are used. The naming conventions for the Load Order Group field are the same as the Short Name field. |
| Logon | |
| Logon Account | The name of the Windows user account that will own the service when that service is run. The account can be any of the following:
A service may run as a user other than LocalSystem and interact with the desktop only if that user is a member of the local or domain Administrators group. If an account other than LocalSystem is used to run the service, the account will be automatically granted the "Logon on as service" privilege (SeServiceLogonRight). If an account other than LocalSystem is used to run the service and the Run Permissions are set to Windows Standard User, the account will be automatically granted the "Replace a process level token" privilege (SeAssignPrimaryTokenPrivilege). If a service is to be started or restarted in session, then the user account must be left blank or set to LocalSystem. This is because the only user account that permits the grabbing of a session token is LocalSystem as it has the SeTcbPrivilege set (i.e. assume the identity of another user and gain access to the resources that the user is authorised to access). Hence, when a FireDaemon Pro service runs as another user account (e.g. domain\UserA) it is impossible to obtain the session token for another user (e.g. domain\UserB). For more information, please see this Microsoft User Rights document. |
| Password | The password for the local or domain user account. If the password of the user account is changed locally or on the Domain Controller, you will need to update this field and reinstall the service to reflect the change. If the password is not updated, the service will fail to start due to incorrect authorisation credentials. Note: No password is required for Managed Service Accounts, Group Managed Service Accounts or virtual service accounts. |
| Confirm Password | The password must be re-entered to confirm the value in the Password field. If the passwords do not match, FireDaemon Pro will not install the service. |
| Run Permissions | The run permissions and Windows security identifier (SID) type setting for the service. They affect which SIDs are present in the program's process token, its integrity level and privileges.
For technical details on the service SID, please see Microsoft’s API documentation and this article. See the table below that summarises the effect on process permissions of the program run under FireDaemon Pro control. |
| Processor Scheduling | |
| Priority | The runtime scheduling priority of the service, its threads, and all child processes.Note: Avoid using the Real-Time (preempts all other processes) option as it actually pre-empts the kernel scheduler. |
| Processor Group | A static set of processors as defined by Windows. For more information, see Processor Groups. |
| NUMA Nodes | This field shows on which NUMA node(s) the service will execute. It will be filled if a Processor Group and a CPU Binding other than 0 are selected. For more information, see NUMA Support. |
| CPU Bindings | Binds the service to specific cores on multi-CPU, multi-core machines. You can enter the Affinity Mask as a binary, decimal or hexadecimal value. The displayed and expected number format depends on the CPU Bindings Radix specified in the Options dialog. If no CPUs are selected, or all CPUs are selected, then the service can potentially run on any CPU, and the actual CPU in use will be decided by the Windows scheduler from one moment to the next. |
Process Permissions Based On Logon Account and Run Permission
| Logon Account | Run Permission | ==> | Elevation | Integrity Level | Privileges | Access Control |
|---|---|---|---|---|---|---|
| LocalSystem | Default | ==> | Elevated | System | All | Only per LocalSystem account |
| LocalSystem | Unrestricted | Elevated | System | All | Per LocalSystem account + per service | |
| LocalSystem | Restricted | Elevated | System | All | Exclusively per service | |
| LocalSystem | Standard | Unelevated | Medium | Few | Per unelevated LocalSystem account + per service | |
| Local account | Default | Elevated | High | All | Only per local account | |
| Local account | Unrestricted | Elevated | High | All | Per local account + per service | |
| Local account | Restricted | Elevated | High | All | Exclusively per service | |
| Local account | Standard | Unelevated | Medium | Few | Per unelevated local account |