Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2020, 18:49
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 115
Rept. Given: 1
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 32
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
How to find out what process issued a windows service start?

Hello,

I would like to find out what process starts a particular windows service (msiserver to be exact).

I mean not in the sense whats is the parent process, this is always services.exe

but which process called some API that resulted in the SCM starting the service.

It seams in win 7 and such there was a Event Log Event created by the SCM for that: https://stackoverflow.com/questions/496632/is-it-possible-to-log-who-started-or-stopped-a-windows-service
but in windows 10 its no longer present.

Any ideas?
Reply With Quote
  #2  
Old 04-10-2020, 19:44
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 366
Rept. Given: 9
Rept. Rcvd 13 Times in 11 Posts
Thanks Given: 19
Thanks Rcvd at 80 Times in 37 Posts
WhoCares Reputation: 13
hook the RPC server in services.exe?
__________________
AKA Solomon/blowfish.
Reply With Quote
  #3  
Old 04-10-2020, 22:55
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 115
Rept. Given: 1
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 32
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
Quote:
Originally Posted by WhoCares View Post
hook the RPC server in services.exe?
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Reply With Quote
  #4  
Old 04-10-2020, 23:14
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 552
Rept. Given: 5
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 467
Thanks Rcvd at 828 Times in 387 Posts
chants Reputation: 35
Process Monitor filtered for OpenServiceA/W as referenced here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea which contains the service name as a string followed by watching for StartServiceA/StartServiceW as reference here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea which only takes a less readable service handle should work for this purpose. Hooking RPC server sounds like a far more complicated route . I am surprised some registry settings or such somewhere do not exist to enable this still in Win10.
Reply With Quote
  #5  
Old 04-11-2020, 06:00
Rasmus Rasmus is offline
Friend
 
Join Date: Jul 2019
Posts: 39
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 12
Thanks Rcvd at 14 Times in 12 Posts
Rasmus Reputation: 2
Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Code:
https://docs.microsoft.com/en-us/windows/win32/rpc/how-rpc-works
A quick example though it is in java-
Code:
https://github.com/km-works/portal-rpc-server-hook
You'd need to do the same for services.exe
Reply With Quote
The Following User Says Thank You to Rasmus For This Useful Post:
chants (04-11-2020)
  #6  
Old 04-11-2020, 12:35
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 366
Rept. Given: 9
Rept. Rcvd 13 Times in 11 Posts
Thanks Given: 19
Thanks Rcvd at 80 Times in 37 Posts
WhoCares Reputation: 13
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm

Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Says Thank You to WhoCares For This Useful Post:
DavidXanatos (04-11-2020)
  #7  
Old 05-09-2020, 14:43
BlackWhite BlackWhite is offline
Friend
 
Join Date: Apr 2013
Posts: 60
Rept. Given: 4
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 9
Thanks Rcvd at 14 Times in 9 Posts
BlackWhite Reputation: 4
If the service starts automatically on boot, you may try
"autoruns" published by www.sysinternals.com
Reply With Quote
  #8  
Old 05-10-2020, 21:34
agoo agoo is offline
Friend
 
Join Date: Dec 2014
Posts: 103
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 21 Times in 18 Posts
agoo Reputation: 0
Quote:
Originally Posted by WhoCares View Post
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm
Any english version of the tutorial?
Reply With Quote
  #9  
Old 05-11-2020, 09:51
SinaDiR SinaDiR is offline
Friend
 
Join Date: Aug 2005
Location: Recycle Bin
Posts: 106
Rept. Given: 15
Rept. Rcvd 29 Times in 18 Posts
Thanks Given: 123
Thanks Rcvd at 178 Times in 53 Posts
SinaDiR Reputation: 29
Quote:
Originally Posted by agoo View Post
Any english version of the tutorial?
Yes, try Google Chrome or use Google Translate !
Reply With Quote
  #10  
Old 05-21-2020, 18:46
LaDidi LaDidi is offline
VIP
 
Join Date: Aug 2004
Posts: 178
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 17
Thanks Rcvd at 21 Times in 15 Posts
LaDidi Reputation: 11
@DavidXanatos :
Deactivative "MSIserver" and, normally, the process you find will send you a message...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 08:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )