Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2020, 18:49
DavidXanatos DavidXanatos is offline
Friend
 
Join Date: Jun 2018
Posts: 95
Rept. Given: 0
Rept. Rcvd 18 Times in 13 Posts
Thanks Given: 26
Thanks Rcvd at 195 Times in 62 Posts
DavidXanatos Reputation: 18
How to find out what process issued a windows service start?

Hello,

I would like to find out what process starts a particular windows service (msiserver to be exact).

I mean not in the sense whats is the parent process, this is always services.exe

but which process called some API that resulted in the SCM starting the service.

It seams in win 7 and such there was a Event Log Event created by the SCM for that: https://stackoverflow.com/questions/496632/is-it-possible-to-log-who-started-or-stopped-a-windows-service
but in windows 10 its no longer present.

Any ideas?
Reply With Quote
  #2  
Old 04-10-2020, 19:44
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 353
Rept. Given: 8
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 17
Thanks Rcvd at 69 Times in 33 Posts
WhoCares Reputation: 11
hook the RPC server in services.exe?
__________________
AKA Solomon/blowfish.
Reply With Quote
  #3  
Old 04-10-2020, 22:55
DavidXanatos DavidXanatos is offline
Friend
 
Join Date: Jun 2018
Posts: 95
Rept. Given: 0
Rept. Rcvd 18 Times in 13 Posts
Thanks Given: 26
Thanks Rcvd at 195 Times in 62 Posts
DavidXanatos Reputation: 18
Quote:
Originally Posted by WhoCares View Post
hook the RPC server in services.exe?
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Reply With Quote
  #4  
Old 04-10-2020, 23:14
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 515
Rept. Given: 5
Rept. Rcvd 34 Times in 20 Posts
Thanks Given: 434
Thanks Rcvd at 780 Times in 361 Posts
chants Reputation: 34
Process Monitor filtered for OpenServiceA/W as referenced here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea which contains the service name as a string followed by watching for StartServiceA/StartServiceW as reference here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea which only takes a less readable service handle should work for this purpose. Hooking RPC server sounds like a far more complicated route . I am surprised some registry settings or such somewhere do not exist to enable this still in Win10.
Reply With Quote
  #5  
Old 04-11-2020, 06:00
Rasmus Rasmus is offline
Friend
 
Join Date: Jul 2019
Posts: 27
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 9
Thanks Rcvd at 11 Times in 9 Posts
Rasmus Reputation: 2
Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Code:
https://docs.microsoft.com/en-us/windows/win32/rpc/how-rpc-works
A quick example though it is in java-
Code:
https://github.com/km-works/portal-rpc-server-hook
You'd need to do the same for services.exe
Reply With Quote
The Following User Says Thank You to Rasmus For This Useful Post:
chants (04-11-2020)
  #6  
Old 04-11-2020, 12:35
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 353
Rept. Given: 8
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 17
Thanks Rcvd at 69 Times in 33 Posts
WhoCares Reputation: 11
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm

Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Says Thank You to WhoCares For This Useful Post:
DavidXanatos (04-11-2020)
  #7  
Old 05-09-2020, 14:43
BlackWhite BlackWhite is offline
Friend
 
Join Date: Apr 2013
Posts: 55
Rept. Given: 4
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 3
Thanks Rcvd at 13 Times in 8 Posts
BlackWhite Reputation: 4
If the service starts automatically on boot, you may try
"autoruns" published by www.sysinternals.com
Reply With Quote
  #8  
Old 05-10-2020, 21:34
agoo agoo is offline
Friend
 
Join Date: Dec 2014
Posts: 100
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 21 Times in 18 Posts
agoo Reputation: 0
Quote:
Originally Posted by WhoCares View Post
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm
Any english version of the tutorial?
Reply With Quote
  #9  
Old 05-11-2020, 09:51
SinaDiR SinaDiR is offline
Friend
 
Join Date: Aug 2005
Location: Recycle Bin
Posts: 106
Rept. Given: 15
Rept. Rcvd 29 Times in 18 Posts
Thanks Given: 120
Thanks Rcvd at 178 Times in 53 Posts
SinaDiR Reputation: 29
Quote:
Originally Posted by agoo View Post
Any english version of the tutorial?
Yes, try Google Chrome or use Google Translate !
Reply With Quote
  #10  
Old 05-21-2020, 18:46
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 176
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 16
Thanks Rcvd at 21 Times in 15 Posts
LaDidi Reputation: 11
@DavidXanatos :
Deactivative "MSIserver" and, normally, the process you find will send you a message...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 07:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )