Service misconfigurations

Windows services are managed by the Service Control Manager (SCM). The SCM is a process that is in charge of the management of the state of services, such as the current status, and any configurations of it.

Each service that is present on a Windows machine will have an associated executable which will be ran by the SCM whenever a particular service is started. The user account which the service will run as will also be specified.

View the configuration of a particular service with the sc qc command:

C:\> sc qc [service_name]
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: [service_name]
        TYPE               : ...
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : [exec_path] [flags/options]
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ...
        DEPENDENCIES       :
        SERVICE_START_NAME : [account]

The important fields to take note of are BINARY_PATH_NAME and SERVICE_START_NAME.

a) BINARY_PATH_NAME: The associated executable

b) SERVICE_START_NAME: The account used to run the service

PreviousAlwaysInstallElevated NextInsecure permissions on service executable

Last updated 1 year ago