Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2020, 18:49
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
How to find out what process issued a windows service start?

Hello,

I would like to find out what process starts a particular windows service (msiserver to be exact).

I mean not in the sense whats is the parent process, this is always services.exe

but which process called some API that resulted in the SCM starting the service.

It seams in win 7 and such there was a Event Log Event created by the SCM for that: https://stackoverflow.com/questions/496632/is-it-possible-to-log-who-started-or-stopped-a-windows-service
but in windows 10 its no longer present.

Any ideas?
Reply With Quote
  #2  
Old 04-10-2020, 19:44
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
hook the RPC server in services.exe?
__________________
AKA Solomon/blowfish.
Reply With Quote
  #3  
Old 04-10-2020, 22:55
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Quote:
Originally Posted by WhoCares View Post
hook the RPC server in services.exe?
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Reply With Quote
  #4  
Old 04-10-2020, 23:14
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,053 Times in 478 Posts
chants Reputation: 48
Process Monitor filtered for OpenServiceA/W as referenced here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea which contains the service name as a string followed by watching for StartServiceA/StartServiceW as reference here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea which only takes a less readable service handle should work for this purpose. Hooking RPC server sounds like a far more complicated route . I am surprised some registry settings or such somewhere do not exist to enable this still in Win10.
Reply With Quote
  #5  
Old 04-11-2020, 06:00
Rasmus Rasmus is offline
Friend
 
Join Date: Jul 2019
Posts: 174
Rept. Given: 0
Rept. Rcvd 8 Times in 7 Posts
Thanks Given: 106
Thanks Rcvd at 102 Times in 60 Posts
Rasmus Reputation: 8
Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Code:
https://docs.microsoft.com/en-us/windows/win32/rpc/how-rpc-works
A quick example though it is in java-
Code:
https://github.com/km-works/portal-rpc-server-hook
You'd need to do the same for services.exe
Reply With Quote
The Following User Says Thank You to Rasmus For This Useful Post:
chants (04-11-2020)
  #6  
Old 04-11-2020, 12:35
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm

Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Says Thank You to WhoCares For This Useful Post:
DavidXanatos (04-11-2020)
  #7  
Old 05-09-2020, 14:43
BlackWhite BlackWhite is online now
Friend
 
Join Date: Apr 2013
Posts: 80
Rept. Given: 4
Rept. Rcvd 14 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 48 Times in 21 Posts
BlackWhite Reputation: 14
If the service starts automatically on boot, you may try
"autoruns" published by www.sysinternals.com
Reply With Quote
  #8  
Old 05-10-2020, 21:34
agoo agoo is offline
Friend
 
Join Date: Dec 2014
Posts: 128
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 25 Times in 21 Posts
agoo Reputation: 0
Quote:
Originally Posted by WhoCares View Post
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm
Any english version of the tutorial?
Reply With Quote
  #9  
Old 05-11-2020, 09:51
SinaDiR SinaDiR is offline
Family
 
Join Date: Aug 2005
Location: Recycle Bin
Posts: 123
Rept. Given: 14
Rept. Rcvd 34 Times in 22 Posts
Thanks Given: 178
Thanks Rcvd at 227 Times in 63 Posts
SinaDiR Reputation: 34
Quote:
Originally Posted by agoo View Post
Any english version of the tutorial?
Yes, try Google Chrome or use Google Translate !
__________________
UnREal RCE - Persian Crackers
Reply With Quote
  #10  
Old 05-21-2020, 18:46
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 210
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 46
Thanks Rcvd at 41 Times in 24 Posts
LaDidi Reputation: 11
@DavidXanatos :
Deactivative "MSIserver" and, normally, the process you find will send you a message...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where to start? cybercoder General Discussion 2 10-30-2012 17:56


All times are GMT +8. The time now is 20:46.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )