How to create windows services (Command Line)

When confronted with microsoft security there are still some things you just cant do even if your administrator. There obviously is a very good reason for it (usually these things break your system), But there are ways to get passed it. Obviously this is also a nice way to explain a nice feature in windows wich allows you to create your own services, so lets get on with it.

First the basics,

A windows service is actually an entry in the windows registry that is being used by the so called "NT Service Controller and services" to identify the binairies to run and the manner in wich to run them. To manipulate the NT Service controller and services a tool is introduced in windows by default that allows the user (or an application) to install new services, manipulate existing ones, query services and service states, or delete them.

As one might now one can controll allot of these features in the windows GUI also called the MMC "Microsoft Management Console" Services plugin. One of the features one can controll is the user under wich the service is started. Also the way the service should start, like on-demand, or boot, or simply disabled. All these features can also be changed altered and removed from the command prompt. Isnt that cool?

Well we all might have had a moment in wich we wanted to know what this "SYSTEM" guy could do? Well if your about to try this, do try this on some allready assigned as lost and destroyed system because the command prompt we are giving you is surely capable of doing so.

The SC command,

For the creation of windows services from the commandline we use a tool called SC, which should be availble from 2000 up. It can do all kind of neat stuff with the installed services like shutdown or query the states of various services. For isntance "what drivers are installed on my machine?"

sc query type= driver

most will obviously have "IGNORES_SHUTDOWN" somewhere. But sometimes you might find very strange services in there. Some stuff like:

Wanarp
Remote Access IP ARP Driver – Some critical windows proces doing arp.

The removal of services is also possible using the sc delete "serviceName" command. Note that a service is being "marked for deletion" and is never deleted in the same session. And then we naturaly have the sc create "serviceName" command that allows us to create services. So…

Lets create a service that runs a dos box and gives us access to the NT AUTHORITY\System account this way for us to discover its "power" on the opperating system.

Lets do something like,

sc create MySystemCmdBox binPath= "C:\windows\system32\cmd.exe /k cmd" type= own type= interact error= ignore start= demand
[SC] CreateService SUCCESS

Running this will open a command box, lets have a quick peek at the syntax. When using this for legal goals like making your VMware run forever. There are some minor downfals to consider…

when using the type= command the options you get are :
own|share|interact|kernel|filesys|rec

Using some of the options will trigger a "[SC] CreateService FAILED 87" this usually means the option used like "type" needs another declaration. In case for instance when using type= interact, the type= option must be declared again with an alternative type like own. So effectivly the service type will be type= own interactive.

when addressing the binPath= pathToBin

its obvious that you should use " quotes " when you need to set all kind of switches behind the binairy. Dont ask, people seem to find this weird on occation 😉

Do mind that when setting the options there should be a space between the equal to sign ( = ) and the actuall value of that option.

So type=interactive (Is wrong) and type= interactive (Is correct)

Well guys, have a blast. There is also a detailed tutorial somewhere on the Microsoft site about this feature:
http://msdn2.microsoft.com/en-us/library/ms810435.aspx

Regards,

Chris Gralike