Windows Services

PreviousPowershell basics NextWindows Properties

Last updated 1 month ago

Windows Services

What is a service

To understand Windows Services, you need to understand what it is first. A Windows service is something that runs in the background. It allows users to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface.

Ways to find services that are running on your system right now is by opening the Task Manager and clicking on services. The best way to view them is by simply using the services app in Windows.

On the left, we have the listed services, and then the center column is the PID number, followed by a short description on the right.

How Windows service works in cybersecurity

When attackers want to get into a system, they might look at the services running on it. This can be beneficial for hackers because they might craft a virus or malware that looks like a legitimate service or even a Windows service. This service can then pass to IPS and IDS systems as a legitimate service. Some AVs might scan them and think they are legit. Because Services are run by many programs, not just Windows ones. Many legitimate applications can use Windows services to run.

Service Control Manager (SCM)

Windows Service Control Manager is started at system boot. It's a remote procedure call (RPC) server. This means that it has the ability to configure and service control programs on remote machines. The functions of the SCM are:

Maintaining the database of installed services.
Starting services and driver services either upon system startup or upon demand.
Enumerating installed services and driver services.
Maintaining status information for running services and driver services.
Transmitting control requests to running services.
Locking and unlocking the service database.

Maintaining Installed Services

When you first install Windows, An initial copy of the database is created. The database contains entries for the device drivers required during system boot. As you add programs and software to your Machine, more services can be added or created.

Automatically Starting Services VS Starting Services on Demand

During system boot, the SCM starts all auto-start services and the services on which they depend. Most attackers/hackers that are trying to RPC(remote persistent connection) using services will use automatically starting services. However, this is extremely risky and can be detected by AVs very easily.

Service Main function

In all services that run, the SCM first runs a function that

Sources