// der erste ist der SD den der Dienst normalerweise hat wenn man ihn nicht anpasst.
//ACL (SDDL )
SECURITY_DESCRIPTOR_STANDARD = 'D:' +
  '(A;;CCLCSWRPWPDTLOCRRC;;;SY)' + // default permissions for local system
  '(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)' + // default permissions for administrators
  '(A;;CCLCSWLOCRRC;;;AU)' + // default permissions for authenticated users
  '(A;;CCLCSWRPWPDTLOCRRC;;;PU)' + // default permissions for power users
  '(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)'+ // Built IN Users
  '(A;;RP;;;IU)'; // added permission: start service for interactive users

SECURITY_DESCRIPTOR_ALLOW_START_BY_USER = 'D:' +
  '(A;;CCLCSWRPWPDTLOCRRC;;;SY)' + // default permissions for local system
  '(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)' + // default permissions for built-in administrators
  '(A;;CCLCSWRPLOCRRC;;;IU)'+ // permissions for interactively logged-on user von MozillaMaintainance und ChromeElevation
  '(A;;CCLCSWRPLOCRRC;;;SU)'+ // permissions for service logon user von MozillaMaintainance und ChromeElevation
  '(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)'+ // permissions for built-in users
  '(A;;CCLCSWRPLOCRRC;;;AU)' + // default permissions for authenticated users
  '(A;;CCLCSWRPWPDTLOCRRCRP;;;PU)'; // default permissions for power users

const
  advapi32 = 'advapi32.dll';
  {$IFDEF UNICODE}
  AWSuffix = 'W';
  {$ELSE}
  AWSuffix = 'A';
 {$ENDIF UNICODE}
function ConvertStringSecurityDescriptorToSecurityDescriptorA; external advapi32 name 'ConvertStringSecurityDescriptorToSecurityDescriptorA';
function ConvertStringSecurityDescriptorToSecurityDescriptorW; external advapi32 name 'ConvertStringSecurityDescriptorToSecurityDescriptorW';
function ConvertStringSecurityDescriptorToSecurityDescriptor; external advapi32 name 'ConvertStringSecurityDescriptorToSecurityDescriptor' + AWSuffix;


Procedure SetServiceSecurityDescriptor(ServiceName,Permission:String);// in ServiceAfterInstall ausführen da hat man immer Admin Rechte.
var
  SA: TSecurityAttributes;
  SvcMgr,SvcHandle: SC_HANDLE;
Begin
  SA.nLength := SizeOf(SA);
  SA.bInheritHandle := True;
  if not ConvertStringSecurityDescriptorToSecurityDescriptor(PWideChar(Permission),
                                                         1,
                                                         SA.lpSecurityDescriptor,
                                                         nil
                                                         ) then RaiseLastOSError;
{$IF DEFINED(CLR)}   //A.R. CLR = Common Language Runtime = .NET
  SvcMgr := OpenSCManager('', nil, SC_MANAGER_ALL_ACCESS);
{$ELSE}
  SvcMgr := OpenSCManager(nil, nil, SC_MANAGER_ALL_ACCESS);
{$ENDIF}
  if SvcMgr = 0 then RaiseLastOSError;
  try
    SvcHandle := OpenService(SvcMgr, PWidechar(ServiceName) , SERVICE_ALL_ACCESS);
    if SvcHandle = 0 then RaiseLastOSError;
    try
      SetServiceObjectSecurity(SVCHandle,DACL_SECURITY_INFORMATION,SA.lpSecurityDescriptor);
    finally
      CloseServiceHandle(SvcHandle);
    end;
  finally
    CloseServiceHandle(SvcMgr);
  end;
  LocalFree(HLOCAL(SA.lpSecurityDescriptor));
end;