From 97fdc0b08090261f6dd3566a36eff1831e670f1b Mon Sep 17 00:00:00 2001
From: Michal Pristas <michal.pristas@gmail.com>
Date: Fri, 16 Oct 2020 10:21:25 +0200
Subject: [PATCH 1/2] ML

---
 x-pack/elastic-agent/pkg/agent/install/svc_windows.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/x-pack/elastic-agent/pkg/agent/install/svc_windows.go b/x-pack/elastic-agent/pkg/agent/install/svc_windows.go
index 9084f3b5ea7..a60aadb5494 100644
--- a/x-pack/elastic-agent/pkg/agent/install/svc_windows.go
+++ b/x-pack/elastic-agent/pkg/agent/install/svc_windows.go
@@ -10,10 +10,14 @@ import (
 	"golang.org/x/sys/windows"
 )
 
+const (
+	ML_SYSTEM_RID = 0x4000
+)
+
 // RunningUnderSupervisor returns true when executing Agent is running under
 // the supervisor processes of the OS.
 func RunningUnderSupervisor() bool {
-	serviceSid, err := allocSid(windows.SECURITY_SERVICE_RID)
+	serviceSid, err := allocSid(ML_SYSTEM_RID)
 	if err != nil {
 		return false
 	}
@@ -40,7 +44,7 @@ func RunningUnderSupervisor() bool {
 
 func allocSid(subAuth0 uint32) (*windows.SID, error) {
 	var sid *windows.SID
-	err := windows.AllocateAndInitializeSid(&windows.SECURITY_NT_AUTHORITY,
+	err := windows.AllocateAndInitializeSid(&windows.SECURITY_MANDATORY_LABEL_AUTHORITY,
 		1, subAuth0, 0, 0, 0, 0, 0, 0, 0, &sid)
 	if err != nil {
 		return nil, err

From 8a9ba1dbc15059bd266fb124bc7b7475b2c5d5e6 Mon Sep 17 00:00:00 2001
From: Michal Pristas <michal.pristas@gmail.com>
Date: Fri, 16 Oct 2020 10:49:16 +0200
Subject: [PATCH 2/2] changelog

---
 x-pack/elastic-agent/CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc
index deae2522773..dddde0c43bf 100644
--- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc
+++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc
@@ -16,6 +16,7 @@
 - Include inputs in action store actions {pull}21298[21298]
 - Fix issue where inputs without processors defined would panic {pull}21628[21628]
 - Partial extracted beat result in failure to spawn beat {issue}21718[21718]
+- Use ML_SYSTEM to detect if agent is running as a service {pull}21884[21884]
 
 ==== New features