On the confusing names for the Windows service SID types

• Windows Services have the ability to specify what identity they run as and how the service SID appears in the service's token.

• There is confusion regarding the naming of the service SID types, specifically the "Restricted" and "Unrestricted" types.

• The documentation for the "Restricted" type states that it includes the "Unrestricted" type, which is counterintuitive.

• The presence of the service SID in the service's token allows it to access resources protected by an ACL that grants access to the service SID.

• To add the service SID to the token, the parameter SERVICE_SID_TYPE_RESTRICTED is used.

• The vulnerability report claiming one service can access files created by another service, even when the first service is unrestricted, is misleading.

• When a service is unrestricted, the files it creates are owned by the service SID, meaning other services cannot access them.

• The ability for the second service, running as Local Service, to access files created by the first service is expected, as both services share the same access permissions.