Windows Services

A Windows "service" is a special type of application that is usually started automatically when the computer boots. Services are used to start and manage core Windows functionality such as Windows Defender, Windows Firewall, Windows Update and more. Third party applications may also install a Windows Service to manage how and when they're run.

You can see the services installed on a machine by opening services.msc, or via the sc command line tool.

C:\>sc query

SERVICE_NAME: Appinfo
DISPLAY_NAME: Application Information
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

SERVICE_NAME: AudioEndpointBuilder
DISPLAY_NAME: Windows Audio Endpoint Builder
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

\

And the Get-Service PowerShell cmdlet.

PS C:\> Get-Service | fl

Name                : AJRouter
DisplayName         : AllJoyn Router Service
Status              : Stopped
DependentServices   : {}
ServicesDependedOn  : {}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : False
ServiceType         : Win32ShareProcess

Name                : ALG
DisplayName         : Application Layer Gateway Service
Status              : Stopped
DependentServices   : {}
ServicesDependedOn  : {}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : False
ServiceType         : Win32OwnProcess

\

A service has several properties that we may want to pay attention to:

Binary Path

This is the path where the actual executable (.exe) for the service is located. Windows services are often in C:\Windows\system32 and third party in C:\Program Files / C:\Program Files (x86)

Startup Type

This dictates when the service should start.

• Automatic - The service starts immediately on boot.

• Automatic (Delayed Start) - The service waits a short amount of time after boot before starting (mostly a legacy option to help the desktop load faster).

• Manual - The service will only start when specifically asked.

• Disabled - The service is disabled and won't run.

Service Status

This is the current status of the service.

• Running - The service is running.

• Stopped - The service is not running.

• StartPending - The service has been asked to start and is executing its startup procedure.

• StopPending - The service has been asked to stop and is executing its shutdown procedure.

Log On As

The user account that the service is configured to run as.

This could be a domain or local account. It's very common for these services to be run as highly-privileged accounts, even domain admins, or as local system. This is why services can be an attractive target for both local and domain privilege escalation.

Dependants & Dependencies

These are services that either the current service is dependant on to run, or other services that are dependant on this service to run. This information is mainly important to understand the potential impact of manipulation.

Like files and folders - services themselves (not just the .exe) have permissions assigned to them. This controls which users can modify, start or stop the service. Some highly sensitive services such as Windows Defender cannot be stopped, even by administrators. Other services may have much weaker permissions that allow standard users to modify them for privilege escalation.

After a service has been manipulated to trigger a privilege escalation, it needs to be restarted (or started if it's already stopped). There will be cases where this can be done with the management tools, if you have the required permissions. Other times, you'll need to rely on a reboot.

OPSEC Restore the service configuration once you are done. Ensure you don't interrupt business critical services, so seek permission before exploiting these types of vulnerabilities.