#1
|
|||
|
|||
How to find out what process issued a windows service start?
Hello,
I would like to find out what process starts a particular windows service (msiserver to be exact). I mean not in the sense whats is the parent process, this is always services.exe but which process called some API that resulted in the SCM starting the service. It seams in win 7 and such there was a Event Log Event created by the SCM for that: https://stackoverflow.com/questions/496632/is-it-possible-to-log-who-started-or-stopped-a-windows-service but in windows 10 its no longer present. Any ideas? |
#2
|
||||
|
||||
hook the RPC server in services.exe?
__________________
AKA Solomon/blowfish. |
#3
|
|||
|
|||
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
|
#4
|
|||
|
|||
Process Monitor filtered for OpenServiceA/W as referenced here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea which contains the service name as a string followed by watching for StartServiceA/StartServiceW as reference here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea which only takes a less readable service handle should work for this purpose. Hooking RPC server sounds like a far more complicated route . I am surprised some registry settings or such somewhere do not exist to enable this still in Win10.
|
#5
|
|||
|
|||
Quote:
Code:
https://docs.microsoft.com/en-us/windows/win32/rpc/how-rpc-works Code:
https://github.com/km-works/portal-rpc-server-hook |
The Following User Says Thank You to Rasmus For This Useful Post: | ||
chants (04-11-2020) |
#6
|
||||
|
||||
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm
__________________
AKA Solomon/blowfish. |
The Following User Says Thank You to WhoCares For This Useful Post: | ||
DavidXanatos (04-11-2020) |
#7
|
|||
|
|||
If the service starts automatically on boot, you may try
"autoruns" published by www.sysinternals.com |
#8
|
|||
|
|||
Any english version of the tutorial?
|
#9
|
|||
|
|||
Yes, try Google Chrome or use Google Translate !
__________________
UnREal RCE - Persian Crackers |
#10
|
|||
|
|||
@DavidXanatos :
Deactivative "MSIserver" and, normally, the process you find will send you a message... |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Where to start? | cybercoder | General Discussion | 2 | 10-30-2012 17:56 |