I cannot do that (but would like to). My question is still, how do I keep from having to have the db (MySQL, flat file, etc) be world writable?

The DB files could be protected so that only the user that the service runs as has write permission. But easier is to set the DB service to start automatically, which means it will start as soon as the machine boots. Which would be before any user can authenticate themselves. The DB would then obtain a lock on the DB file, and since Win32 provides compulsory locking semantics and not advisory locking semantics the files would be effectively locked to anyone other than the DB service.

Overall there are a number of ways to accomplish what you want. But they wont be the *nix ways, so you might have to look at a different approach. For instance I think you prematurely dismissed (and for reasons that I dont think were correct) the service based approach suggested earlier.