We generally create special windows (local for local only access or domain account for things that need to authenticate accross the network) accounts to run custom services. This way we can restrict and lock down the permissions to make sure it only has access to what we need. You can also see which specific users are culprits or resource hogging with monitoring on a shared server.

我们通常创建特殊的窗口（本地仅用于本地访问或域帐户用于需要跨网络进行身份验证的事物）帐户来运行自定义服务。通过这种方式，我们可以限制和锁定权限，以确保它只能访问我们需要的内容。您还可以通过在共享服务器上进行监控来查看哪些特定用户是罪魁祸首或资源占用。

As for the built in accounts...

至于内置账户...

Local System: The built-in LocalSystem user account has a high level of access privileges; it is part of the Administrators group.

Local System：内置LocalSystem用户账号，拥有高级别的访问权限；它是管理员组的一部分。

Network Service: The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account.

网络服务：内置的网络服务用户帐户对系统的访问权限比本地系统用户帐户少，但网络服务用户帐户仍然能够通过计算机帐户的凭据在整个网络中进行交互。

Local Service: The built-in Local Service user account has fewer access privileges on the computer than the Network Service user account, and those user privileges are limited to the local computer. Use the Local Service user account if the worker process does not require access outside the server on which it is running. Source(s): Microsoft Technet

本地服务：内置的本地服务用户帐户对计算机的访问权限比网络服务用户帐户少，并且这些用户权限仅限于本地计算机。如果工作进程不需要在其运行的服务器之外进行访问，请使用本地服务用户帐户。来源：Microsoft Technet

LocalSystem

本地系统

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function.

LocalSystem 帐户是服务控制管理器使用的预定义本地帐户。安全子系统无法识别此帐户，因此您无法在调用 LookupAccountName 函数时指定其名称。

It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

它在本地计算机上拥有广泛的特权，并充当网络上的计算机。它的令牌包括 NT AUTHORITY\SYSTEM 和 BUILTIN\Administrators SID；这些帐户可以访问大多数系统对象。所有语言环境中的帐户名称都是 .\LocalSystem。也可以使用名称 LocalSystem 或 ComputerName\LocalSystem。此帐户没有密码。如果您在调用 CreateService 或 ChangeServiceConfig 函数时指定 LocalSystem 帐户，则您提供的任何密码信息都将被忽略。

NetworkService

网络服务

The NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network.

NetworkService 帐户是服务控制管理器使用的预定义本地帐户。安全子系统无法识别此帐户，因此您无法在调用 LookupAccountName 函数时指定其名称。它在本地计算机上具有最低权限，并充当网络上的计算机。

This account can be specified in a call to the CreateService and ChangeServiceConfig functions. Note that this account does not have a password, so any password information that you provide in this call is ignored. While the security subsystem localizes this account name, the SCM does not support localized names. Therefore, you will receive a localized name for this account from the LookupAccountSid function, but the name of the account must be NT AUTHORITY\NetworkService when you call CreateService or ChangeServiceConfig, regardless of the locale, or unexpected results can occur.

可以在调用 CreateService 和 ChangeServiceConfig 函数时指定此帐户。请注意，此帐户没有密码，因此您在此调用中提供的任何密码信息都将被忽略。虽然安全子系统本地化此帐户名称，但 SCM 不支持本地化名称。因此，您将从 LookupAccountSid 函数中收到此帐户的本地化名称，但在调用 CreateService 或 ChangeServiceConfig 时，该帐户的名称必须为 NT AUTHORITY\NetworkService，无论区域设置如何，否则可能会出现意外结果。

A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers. By default, the remote token contains SIDs for the Everyone and Authenticated Users groups. The user SID is created from the SECURITY_NETWORK_SERVICE_RID value.

在 NetworkService 帐户上下文中运行的服务将计算机的凭据提供给远程服务器。默认情况下，远程令牌包含Everyone 和Authenticated Users 组的SID。用户 SID 是根据 SECURITY_NETWORK_SERVICE_RID 值创建的。

The NetworkService account has its own subkey under the HKEY_USERS registry key. Therefore, the HKEY_CURRENT_USER registry key is associated with the NetworkService account.

NetworkService 帐户在 HKEY_USERS 注册表项下有自己的子项。因此，HKEY_CURRENT_USER 注册表项与 NetworkService 帐户相关联。