Services

Management

Check CLI#Services for sc.exe and *-Service cmdlets.

Status

  • Runnging

  • Stopped

  • Paused

Startup mode

  • Manual

  • Auto

  • Delayed at system boot

  • Disabled

Category

  • Local Services: Restricted privileges - Access to local resources

  • Network Services: Limited privileges - Access network resources

  • System Services: High privileges - Full access to local & network resources

Service accounts

Services run under 3 native service accounts, one for each service category

Most often services run under LocalSystem privileges.

  • NT AUTHORITY\LocalService => For local services

  • NT AUTHORITY\NetworkService => For network services

  • NT AUTHORITY\SYSTEM or LocalSystem=> For system services

Common Services

  • smss.exe (Session Manager Subsystem): Initializes user sessions, sets up environment variables.

  • csrss.exe (Client Server Runtime Subsystem): Manages console windows and some aspects of the graphical subsystem.

  • winlogon.exe (WinLogon): Manages login and logout procedures, invokes GINA (Graphical Identification and Authentication).

  • lsass.exe (Local Security Authority Subsystem Service): Handles security policies and local authentication.

  • svchost.exe (Service Host): Container process for running Windows services, often runs multiple instances for different services.

  • MsMpEng.exe: Windows Defender

DACL for Services

Both Windows services and files have DACLs, but they are applied differently.

  • For files, DACLs define who can read, write, execute, etc.

  • For services, DACLs control who can start, stop, configure, or delete the service among other actions like Read (R) and Write (W).

Service Path

When a service is installed, the registry configuration specifies a path to the binary that should be executed on service start. If this binary is not encapsulated within quotes, Windows will attempt to locate the binary in different folders.

Unquoted Service Path

If the path to the binary of a service (e.g. C:\Program Files (x86)\System Explorer\service\MyService) isn't enclosed within quotes Windows will attempt to load the following potential executables in order on service start, with a .exe being implied:

  • C:\Program

  • C:\Program Files

  • C:\Program Files (x86)\System

  • C:\Program Files (x86)\System Explorer\service\MyService

This means an attacker could create binaries to hijack the service bin PATH such as:

  • C:\Program.exe

  • C:\Program Files (x86)\System.exe

PreviousCLI cheatsheetNextTools

Last updated