> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/windows-privilege-escalation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/windows-privilege-escalation/6-windows-services.md).

# 6 - Windows Services

#### Topics <a href="#topics" id="topics"></a>

> 1. Introduction to the Windows Shells
> 2. Windows Permissions
> 3. Reverse Shells in Windows
> 4. SeImpersonatePrivilege Exploitation
> 5. On Cross Compilation
> 6. Windows Services
> 7. Weak Service Permissions
> 8. Unquoted Service Path
> 9. DLL Hijacking
> 10. Always Install Elevated
> 11. Files with Sensitive Data
> 12. Windows Hashes
> 13. Stored Credentials and the Windows Vault
> 14. Scheduled Task
> 15. Critical Registry Paths
> 16. Useful Tools
> 17. AMSI Bypass

## **Windows Services**

[Windows Services](https://learn.microsoft.com/en-us/windows/win32/services) are specialized processes designed to operate in the background without user interaction (can be comparable to 'deamon' in linux systems). These services often start automatically when the system boots and continue running even after a user logs off.

**Key Features of Windows Services**

* Run independently of the logged-in user.
* Managed via the **Services Control Manager (SCM)** panel.
* Operate in various contexts:
  * **Local Services**
  * **Network Services**
  * **System Services**
  * **Third-Party Application Services**

<figure><img src="/files/OfiCEGdu8rjDCkWMQwmy" alt=""><figcaption></figcaption></figure>

**Security and Attack Surface**

Windows Services present a substantial attack surface. Improper configurations or vulnerabilities in services can be exploited to gain elevated privileges or execute malicious code.

***

## **Managing Services**

Below are useful commands to manage Windows Services effectively:

**Listing and Viewing Services**

* **List All Services**:

  ```powershell
  Get-Service
  ```
* **Display Specific Properties**:

  <pre class="language-powershell"><code class="lang-powershell"><strong>Get-Service | Select-Object DisplayName, Status, ServiceName, Can*
  </strong></code></pre>
* **Get Binary Paths for Running Services**:

  ```powershell
  Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}
  ```

<figure><img src="/files/DTQmY6fBIxAQrPOVQBWI" alt=""><figcaption></figcaption></figure>

**Service Operations**

* **Start a Service**:

  ```powershell
  sc.exe start <SERVICE>
  ```
* **Stop a Service**:

  ```powershell
  sc.exe stop <SERVICE>
  ```
* **Check Service Configuration**:

  ```powershell
  sc.exe qc <SERVICE>
  ```

**Modifying Services**

* **Change the Binary Path of a Service**:

  ```powershell
  sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe"
  ```
* **Check Service Permissions**:

  ```powershell
  sc.exe sdshow <SERVICE>
  ```
* **Update Service Permissions**:

  ```powershell
  sc.exe sdset <SERVICE> <SDDL>
  ```

**Advanced Operations**

* **Convert SDDL to Readable Format**:

  ```powershell
  ConvertFrom-SddlString -Sddl <SDDL>
  ```
* **Get Executable Path for All Processes**:

  ```powershell
  wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow'
  ```

***

## **Adding a New Service**

To add a new service, you must provide an executable file (`.exe`) that implements the Windows Service API.

**Creating a Service Using sc.exe**

1. **Create the Service**:

   ```powershell
   sc.exe create <SERVICE-NAME> binPath="<PATH-TO-EXECUTABLE>"
   ```
2. **Verify the Configuration**:

   ```powershell
   sc.exe qc <SERVICE-NAME>
   ```
3. **Start the Service**:

   ```powershell
   sc.exe start <SERVICE-NAME>
   ```
4. **Stop the Service**:

   ```powershell
   sc.exe stop <SERVICE-NAME>
   ```
5. **Delete the Service**:

   ```powershell
   sc.exe delete <SERVICE-NAME>
   ```

***

### **Compiling a Custom Service**

To create a custom Windows Service, write the code in a language like C and compile it using `mingw-w64`.

[simpleService.c](https://github.com/LeonardoE95/yt-en/blob/main/src/2024-10-27-windows-privesc-windows-services/content/simpleService.c)

**Example Compilation Command**:

```bash
x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c
```

Once compiled, follow the steps above to register, start, and manage the service.

***

### **Using NSSM (Non-Sucking Service Manager)**

For simplicity, you can use NSSM to run any arbitrary `.bat` or `.exe` file as a service.

1. **Download NSSM**:\
   From [NSSM's Official Website](https://nssm.cc/).
2. **Install the Service**:

   ```cmd
   nssm.exe install <SERVICE-NAME>
   ```

## Other Resources

* Windows local privilege escalation: [https://xorond.com/posts/2021/04/wind...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbnNCSDQ1anB3b2F3d2M4anUtRXNaZ0Z1MEFmUXxBQ3Jtc0tuTklZT2ktRk9GYVBvT3lUdk1ITVpuWDBrTFdORlV2enEwSVNyMm41enlsaEZmdFZTTVMwY0wwcjBnUklWXy15MGFrZUFqU0liYXB3QU9hdTUtMmNkVXh2ZjdvQjlxejd5Zm5vcG9GYmJRUFJiZzJMSQ\&q=https%3A%2F%2Fxorond.com%2Fposts%2F2021%2F04%2Fwindows-local-privilege-escalation%2F\&v=R9pDCdBWTAk)
* ConvertFrom-SddlString: [https://learn.microsoft.com/en-us/pow...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbkYwLTlMTURTbFE3U2RHb041MW0zdXI2VUlPZ3xBQ3Jtc0trUjVxd1JBdkF6UVBkWnNGSE5ha24wME5VdjR4bTZlZXJQeTF6bXZ6alpzbUdqM18xX3g4NklFQUZqaTQ5eWtZTHVpTlpwNGllanpxczIwQWNaRHFhOG1MZ0hhTnBUZ2dRLVRTNzRUeUxFcGdzNkZoVQ\&q=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmicrosoft.powershell.utility%2Fconvertfrom-sddlstring\&v=R9pDCdBWTAk)
* Security Descriptor Definition Language (SDDL): [https://learn.microsoft.com/en-us/win...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbVVvMTJZQmZzMlZqa1FJV2VMSlktZHJHWVRSQXxBQ3Jtc0trS2QzX1NRR1I3dEp2VEF4WVFMNFd0WW10bWllUDZrTXpRbU1RbkJFdlNrcmY2SVlHTXN4M3pCQzFXcUZycHRZWTFVamlCZHgxTF9NMzlGd0VNaWxhMlhSbTBNZnpWMFJwM2pVQnphZ3A0M05HRGNoMA\&q=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecauthz%2Fsecurity-descriptor-definition-language\&v=R9pDCdBWTAk)
* Create Windows service from executable: [https://stackoverflow.com/questions/3...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqa2JIRFI5d1RyM2JNVW54SUV5amVMZl9NVzdSd3xBQ3Jtc0tsSXZGcGlRLS04dTYzbENSWG00RlBsOVFZRWNfb2FEOFZQQXMwbTNDYzRRMzdtS3FWMTktOVpvSVlZU2J5ZHhTY19veld2NExqX2lxWUVKQ25qbHlaNzdmS1hxYkFsWFptVVVJaXlfd0FJYm12NGIzaw\&q=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F3582108%2Fcreate-windows-service-from-executable\&v=R9pDCdBWTAk)
* The Non-Sucking Service Manager: [https://nssm.cc/](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqa1Z2Y08tTlBvZ1V0cjh4TG1Xel9RdVR5X0FoUXxBQ3Jtc0trRmdlSHIwMHgycE1sYWxyRXo1Q2JwQmNXd2JYdzJlVXFEOEhqMEgxQk45MXlSa0lCc3JXWjh1S3N1d1lHTndWa3ZLNExpZUJ4QXBTR0FpZUNFVFBsWWlzRmlDS2hfUS1pU1Vjbkk3amVBRkloNHc2QQ\&q=https%3A%2F%2Fnssm.cc%2F\&v=R9pDCdBWTAk)
* Very basic Windows Service template in C: [https://gist.github.com/mmmunk/0b0adb...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbG43WHFjNGNKLXNyV0pPbUhQdVh6dVVZWnd1d3xBQ3Jtc0tuSXo3Zld3S1I1cVlXOEpuNUJ4aWx5WjVBZGZwbXpFMVIzLXI1RGFld0lZWWp1V2ZVeG1takRMV2U4QUNtakwwSmdzWW1uTXN5cGU5WlpzU3JuempoalU2UXduZEhJNnN1ZEhUajVKZUluRDJDYXRaUQ\&q=https%3A%2F%2Fgist.github.com%2Fmmmunk%2F0b0adbccb6b91e778e3a6c6b47908c9c\&v=R9pDCdBWTAk)
* Cygwin and MinGW Options: [https://gcc.gnu.org/onlinedocs/gcc/Cy...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqbW9kSTFiU1N3MjhTdk95STBuQmVGa2NjU1Y1Z3xBQ3Jtc0ttNzAwYXRXZGtOUVBqY2NiV2xvODNoSU51N1lJTGtNNVMtUzVnTXNNRDUwMGJqLVI4M0VRcVJyamFFSWxNeFlmX0FqVUF4VE44ZHJ2OHdnVEk2dFNYTW5wZmkxN2JVUmtPVXdJb2liR0tUTURqbTlUZw\&q=https%3A%2F%2Fgcc.gnu.org%2Fonlinedocs%2Fgcc%2FCygwin-and-MinGW-Options.html\&v=R9pDCdBWTAk)
* Working with SDDL: [https://www.advancedinstaller.com/for...](https://www.youtube.com/redirect?event=video_description\&redir_token=QUFFLUhqa0R6aEJUQ0tPYk1YUXc1NXRZUFA5U3BrbjZMUXxBQ3Jtc0trWWQtTmwwX21rVmJySTVGaUJRYU5NQnlkNlU5akZ3ZkZPVnlaSkZ3TlpxYjZlLXRTSjRZbE5iODc0TTlkcDBiMmZpZzA5WWowZDRKa29lUU9EeHo0bGNiSXYtOFFISlA0WHB1RzUzWkVsR0duUURXaw\&q=https%3A%2F%2Fwww.advancedinstaller.com%2Fforums%2Fviewtopic.php%3Ft%3D49990\&v=R9pDCdBWTAk)

{% hint style="danger" %}
**Disclaimer**

**❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/windows-privilege-escalation/6-windows-services.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.