When confronted with microsoft security there are still some things you just cant do even if your administrator. There obviously is a very good reason for it (usually these things break your system), But there are ways to get passed it. Obviously this is also a nice way to explain a nice feature in windows wich allows you to create your own services, so lets get on with it.
First the basics,
A windows service is actually an entry in the windows registry that is being used by the so called "NT Service Controller and services" to identify the binairies to run and the manner in wich to run them. To manipulate the NT Service controller and services a tool is introduced in windows by default that allows the user (or an application) to install new services, manipulate existing ones, query services and service states, or delete them.
As one might now one can controll allot of these features in the windows GUI also called the MMC "Microsoft Management Console" Services plugin. One of the features one can controll is the user under wich the service is started. Also the way the service should start, like on-demand, or boot, or simply disabled. All these features can also be changed altered and removed from the command prompt. Isnt that cool?
Well we all might have had a moment in wich we wanted to know what this "SYSTEM" guy could do? Well if your about to try this, do try this on some allready assigned as lost and destroyed system because the command prompt we are giving you is surely capable of doing so.
The SC command,
For the creation of windows services from the commandline we use a tool called SC, which should be availble from 2000 up. It can do all kind of neat stuff with the installed services like shutdown or query the states of various services. For isntance "what drivers are installed on my machine?"
sc query type= driver
most will obviously have "IGNORES_SHUTDOWN" somewhere. But sometimes you might find very strange services in there. Some stuff like:
Wanarp
Remote Access IP ARP Driver – Some critical windows proces doing arp.
The removal of services is also possible using the sc delete "serviceName" command. Note that a service is being "marked for deletion" and is never deleted in the same session. And then we naturaly have the sc create "serviceName" command that allows us to create services. So…
Lets create a service that runs a dos box and gives us access to the NT AUTHORITY\System account this way for us to discover its "power" on the opperating system.
Lets do something like,
sc create MySystemCmdBox binPath= "C:\windows\system32\cmd.exe /k cmd" type= own type= interact error= ignore start= demand
[SC] CreateService SUCCESS
Running this will open a command box, lets have a quick peek at the syntax. When using this for legal goals like making your VMware run forever. There are some minor downfals to consider…
when using the type= command the options you get are :
own|share|interact|kernel|filesys|rec
Using some of the options will trigger a "[SC] CreateService FAILED 87" this usually means the option used like "type" needs another declaration. In case for instance when using type= interact, the type= option must be declared again with an alternative type like own. So effectivly the service type will be type= own interactive.
when addressing the binPath= pathToBin
its obvious that you should use " quotes " when you need to set all kind of switches behind the binairy. Dont ask, people seem to find this weird on occation 😉
Do mind that when setting the options there should be a space between the equal to sign ( = ) and the actuall value of that option.
So type=interactive (Is wrong) and type= interactive (Is correct)
Well guys, have a blast. There is also a detailed tutorial somewhere on the Microsoft site about this feature:
http://msdn2.microsoft.com/en-us/library/ms810435.aspx
Regards,
Chris Gralike
The space after the “=” after the option type to specify the value was what was missing.
This post help me get over it.
Really helpful! Thanks
If it helps, after reading some additional documentation on the subject regarding the NT boot process i found the following.
both the system and boot switches are related to “drivers” that need to be loaded at boot time by one of the following components.
boot driver => loaded by NTLDR at system boot.
system driver => loaded by ntoskrnl.exe after “boot” drivers.
automatic drivers => loaded much later when the GUI is started in the following process.
Hello Matthew,
Im not sure if boot in this case actually means at system boot (windows boot logo). More because of the windows architecture where all services marked “automatic” will be started at system startup directly after logon.
If you actually want something to start at the earliest possible time you might want to use the windows policies instead of system services.
By means of scripting this might be an outcome.
If this is preferred there are two moments you can use to script your task (script a service startup for instance 😉 )
1. At system startup.
Only problem here is that the explorer process isnt started yet, so WMI and VB arnt an option here and you are bound to batch scripting. another downside might be that all user information isnt available yet. In effect this means that you have a DOS environment and its capabilities to do some basic very early administrative tasks.
2. At system logon.
This is where the user has finished logging on and all “automatic” services have started and all env information is available to you. Usually used for domain logon scripting.
Both can be configured using the windows group policy editor.
>start>run…>MMC
[ctr+m]>add>Group policy editor>add>local computer>finish>close>ok
If you want to test the boot option, i got windows to accept it by using the following command..
C:\Documents and Settings\chris>sc create MySystemCmdBox binPath= “C:\windows\system32\cmd.exe /k cmd” type= own error
= ignore start= boot start= auto
[SC] CreateService SUCCESS
Rgrds,
Hi,
Thanks for the tutorial.
I’m getting a problem with the Failed 87 error.
I’m trying to set a service so it runs at boot. which i’m trying to use the start= boot switch.
But, using the example above and just changing that switch it generates Failed 87.
Any idea why this is? It works if i use the example above, exactly, but i need this service to run at boot.
Thanks,
Matthew Millar