Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page How to find out what process issued a windows service start?
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2020, 18:49
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 183
Rept. Given: 3
Rept. Rcvd 47 Times in 33 Posts
Thanks Given: 59
Thanks Rcvd at 363 Times in 120 Posts
DavidXanatos Reputation: 47
How to find out what process issued a windows service start?
Hello,

I would like to find out what process starts a particular windows service (msiserver to be exact).

I mean not in the sense whats is the parent process, this is always services.exe

but which process called some API that resulted in the SCM starting the service.

It seams in win 7 and such there was a Event Log Event created by the SCM for that: https://stackoverflow.com/questions/496632/is-it-possible-to-log-who-started-or-stopped-a-windows-service
but in windows 10 its no longer present.

Any ideas?
Reply With Quote
  #2  
Old 04-10-2020, 19:44
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
  
Join Date: Jan 2002
Location: Here
Posts: 468
Rept. Given: 11
Rept. Rcvd 32 Times in 25 Posts
Thanks Given: 69
Thanks Rcvd at 247 Times in 94 Posts
WhoCares Reputation: 32
hook the RPC server in services.exe?
__________________
AKA Solomon/blowfish.
Reply With Quote
  #3  
Old 04-10-2020, 22:55
DavidXanatos DavidXanatos is offline
Family
  
Join Date: Jun 2018
Posts: 183
Rept. Given: 3
Rept. Rcvd 47 Times in 33 Posts
Thanks Given: 59
Thanks Rcvd at 363 Times in 120 Posts
DavidXanatos Reputation: 47
Quote:
Originally Posted by WhoCares View Post
hook the RPC server in services.exe?
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Reply With Quote
  #4  
Old 04-10-2020, 23:14
chants chants is offline
VIP
  
Join Date: Jul 2016
Posts: 826
Rept. Given: 47
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 737
Thanks Rcvd at 1,140 Times in 529 Posts
chants Reputation: 51
Process Monitor filtered for OpenServiceA/W as referenced here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea which contains the service name as a string followed by watching for StartServiceA/StartServiceW as reference here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea which only takes a less readable service handle should work for this purpose. Hooking RPC server sounds like a far more complicated route . I am surprised some registry settings or such somewhere do not exist to enable this still in Win10.
Reply With Quote
  #5  
Old 04-11-2020, 06:00
Rasmus Rasmus is offline
Friend
  
Join Date: Jul 2019
Posts: 179
Rept. Given: 0
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 116
Thanks Rcvd at 106 Times in 64 Posts
Rasmus Reputation: 9
Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
Code:
https://docs.microsoft.com/en-us/windows/win32/rpc/how-rpc-works
A quick example though it is in java-
Code:
https://github.com/km-works/portal-rpc-server-hook
You'd need to do the same for services.exe
Reply With Quote
The Following User Says Thank You to Rasmus For This Useful Post:
chants (04-11-2020)
  #6  
Old 04-11-2020, 12:35
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
  
Join Date: Jan 2002
Location: Here
Posts: 468
Rept. Given: 11
Rept. Rcvd 32 Times in 25 Posts
Thanks Given: 69
Thanks Rcvd at 247 Times in 94 Posts
WhoCares Reputation: 32
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm

Quote:
Originally Posted by DavidXanatos View Post
Sounds tricky, could you please point me in the direction of a guide or how-to for that task.
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Says Thank You to WhoCares For This Useful Post:
DavidXanatos (04-11-2020)
  #7  
Old 05-09-2020, 14:43
BlackWhite BlackWhite is offline
Friend
  
Join Date: Apr 2013
Posts: 85
Rept. Given: 4
Rept. Rcvd 14 Times in 6 Posts
Thanks Given: 14
Thanks Rcvd at 56 Times in 25 Posts
BlackWhite Reputation: 14
If the service starts automatically on boot, you may try
"autoruns" published by www.sysinternals.com
Reply With Quote
  #8  
Old 05-10-2020, 21:34
agoo agoo is offline
Friend
  
Join Date: Dec 2014
Posts: 129
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 25 Times in 21 Posts
agoo Reputation: 0
Quote:
Originally Posted by WhoCares View Post
here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm
Any english version of the tutorial?
Reply With Quote
  #9  
Old 05-11-2020, 09:51
SinaDiR SinaDiR is offline
Family
  
Join Date: Aug 2005
Location: Recycle Bin
Posts: 123
Rept. Given: 14
Rept. Rcvd 34 Times in 22 Posts
Thanks Given: 178
Thanks Rcvd at 227 Times in 63 Posts
SinaDiR Reputation: 34
Quote:
Originally Posted by agoo View Post
Any english version of the tutorial?
Yes, try Google Chrome or use Google Translate !
__________________
UnREal RCE - Persian Crackers
Reply With Quote
  #10  
Old 05-21-2020, 18:46
LaDidi LaDidi is offline
VIP
  
Join Date: Aug 2004
Posts: 222
Rept. Given: 2
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 64
Thanks Rcvd at 54 Times in 29 Posts
LaDidi Reputation: 11
@DavidXanatos :
Deactivative "MSIserver" and, normally, the process you find will send you a message...
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Some advice on how to load a windows process dump into IDA Pro? rcer General Discussion 7 03-08-2025 00:09


All times are GMT +8. The time now is 07:52.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )