Windows — Services: Part 1
Before we are going to talk about processes which are related to services handled under Windows (like services.exe and svchost) we have to explain what a service is.
Services are processes which are managed by the operating system, it resembles demons in Linux (but there are a couple of differences that I am going to talk about in a different writeup).
Due to security reasons services can be executed at least under 3 different entities: System, Network Service and Local Service (each of them with different permissions and privileges — we will cover them in more details in the future). Of course, we can also run a service using a local user or a domain user with any access rights that we want.
There are different ways in which we can administer services, however I am going to focus on probably the 4 well known interfaces. First, Win32 API (it is used also for 64 bit despite its name) such as StartService (more info can be found here — https://docs.microsoft.com/en-us/windows/win32/services/service-functions). Second, mmc snap-in “services.msc” (more info can be found here — https://www.thewindowsclub.com/open-windows-services). Third, PowerShell by leveraging cmdlets such as: New-Service, Get-Service, Restart-Service, Stat-Service, Stop-Service and more. Fourth, the command line tool “sc.exe” (more info can be found here — https://ss64.com/nt/sc.html).
A service can be in one of the three major states: started, stopped or paused. Also, each service has a startup state which defines what should happen with the service when the OS starts — it could be one of the following: Automatic, Automatic (Delayed Start), Manual or Disabled. Let us go over each and one of them.
Automatic, in this configuration the SCM starts the service as part of the system boot process.
In the case of the delayed start, it’s an optimization feature to reduce the time it takes the system to boot-up. “Automatic Start” is still run by the SCM but not during the boot process (they are started automatically shortly after the boot process has finished). Manual, in this configuration the SCM does not start the service and it needs to be from some other administrative interface (as we explained above), we can also script it if we want. Disabled, in this configuration even an administrator can’t start the service. In order to start the service we first need to enable it by setting it to any setting which is not disabled.
Over the years different security enhancements were added for service hardening (Examples are session isolation, least privileges, restricted network access and service isolation). We are going to speak about it more when talking about security and the process of hardening the OS.
In the screenshot below you can see examples for the things we have talked about regarding the DHCP Client service. On the left we can see the status and the startup type and on the right the user which the service is logging on behalf of.
You can also check my twitter account @boutnaru (https://twitter.com/boutnaru) — for more stuff on Windows/Linux/etc.
See you soon ;-)
