如何注册一个Windows服务,但避免它列在服务控制台? [英] How to register a windows service but avoid it being listed in the services console?
问题描述
我知道一个合法的Windows应用程序,一个家长控制软件,安装为服务,但该服务未列在服务列表中,您在services.msc中看到的列表。
它列在任务管理器中,但不在服务器列表中。
我知道它是一个服务器,因为它在注册表部分与所有其余的服务,但是,services.msc控制台将不会列出它。
我研究了几天没有答案。 p>
我发现这个类似的问题,但在答案中,他们建议复杂的路径,如编写设备驱动程序:
如何在Windows桌面中隐藏任务管理器的Windows服务
但是,这些家伙使用服务。
他们是如何做到的?
这是注册表项:
code> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv]
Type= dword:00000010
Start= dword:00000002
ErrorControl= dword:00000001
ImagePath= hex(2):22,00
DisplayName=某些显示名称
ObjectName=LocalSystem
=一些说明
FailureActions= hex:00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv\Security]
安全= hex:01,00
某些二进制内容因可读性而被截断。
这是在Windows 7 32位。
按照Harry Jonhston的建议:
** sc sdshowThatTrickySoftware**
D:(D ;; DCLCWPDTSD ;;; IU)(D ;; DCLCWPDTSD ;;; SU)(D ;; DCLCWPDTSD ; A ;;; BA)(A ;; CCLCSWLOCRRC ;;
; IU)(A ;; CCLCSWLOCRRC ;; SU)(A ;; CCLCSWRPWPDTLOCRRC ;; SY)(A ;; CCDCLCSWRPWPDTLOCRSDRC
WDWO; ;; BA)S:(AU; FA; CCDCLCSWRPWPDTLOCRSDRCWDWO ;;; WD)
这是预期我想,虽然它不列为服务,它作为服务运行,因为它是由Windows自动启动,但没有线索Windows可以运行此应用程序。
此外,注意,可执行文件列在任务管理器的进程选项卡中,但是它是不可破坏的,我不能杀死它,如果我尝试
$ b
好的,我可以重现这种行为:通过提供服务
<$ cccc scsdset myservice D:(D ;; DCLCWPDTSD ;;; IU)(D ;; DCLCWPDTSD ;;; SU)(D ;; DCLCWPDTSD ;;; BA)(A ;; CCLCSWLOCRRC ;;; IU) A ;; CCLCSWLOCRRC ;;; SU)(A ;; CCLCSWRPWPDTLOCRRC ;; SY)(A ;; CCDCLCSWRPWPDTLOCRSDRCWDWO ;;; BA)S:(AU; FA; CCDCLCSWRPWPDTLOCRSDRCWDWO ;;; WD)
所有这一切都取决于权限。
安全描述符字符串。这有点棘手,因为SDDL权限和等效的安全管理器权限之间的映射似乎没有很好地记录在MSDN或SDK标题中;幸运的是,Wayne Martin已经为我们做了大量的工作,并将结果发布在博客条目非管理员的服务控制管理中心安全性。
D: - 这部分是DACL,对服务的权限。
拒绝条目总是优先,这也意味着它们优先于允许条目:
(D ;; DCLCWPDTSD ;;; IU) - 拒绝(D)交互用户:
DC - SERVICE_CHANGE_CONFIG(更改服务配置的权限)
LC - SERVICE_QUERY_STATUS(查询服务状态的权限)
WP - SERVICE_STOP(停止服务的权利)
DT - SERVICE_PAUSE_CONTINUE(暂停和继续服务的权利)
SD - DELETE(删除服务的权利)
(D ;; DCLCWPDTSD ;;; SU) - 拒绝服务与上述相同的一组权限
(D ;; DCLCWPDTSD ;;; BA) - 拒绝管理员组(BA)与上述相同
allow条目与默认权限相同。 (它们以不同的顺序,但允许条目的顺序不重要。)
(A ;; CCLCSWLOCRRC ;;; IU) - 允许交互式用户具有以下权限:
CC - SERVICE_QUERY_CONFIG(查询服务配置的权限)
LC - 被拒绝条目覆盖
SW - SERVICE_ENUMERATE_DEPENDENTS(查看服务依赖关系的权限)
LO - SERVICE_INTERROGATE(发送SERVICE_CONTROL_INTERROGATE的权限)
CR - SERVICE_USER_DEFINED_CONTROL(发送用户定义的控件的权限)
RC - READ_CONTROL查看权限的权限)
(A ;; CCLCSWLOCRRC ;;; SU) - 允许服务具有以下权限:
与交互式用户相同
(A ;; CCLCSWRPWPDTLOCRRC ;;; SY) - 允许本地系统具有以下权限:
与交互式用户相同,加上:
RP - SERVICE_START(启动服务的权利)
WP - 被拒绝条目覆盖BA
DT - 被BA
(A ;; CCDCLCSWRPWPDTLOCRSDRCWDWO ;;; BA)的拒绝条目覆盖 - 允许管理员组:
与本地系统相同,加上:
DC - 被拒绝条目覆盖
LC - 被拒绝条目覆盖
SW - 被拒绝条目覆盖
SD - 被拒绝条目覆盖
WD - WRITE_DAC更改权限)
WO - WRITE_OWNER(获取所有权的权限)
SACL。这与服务的默认值相同。
S:(AU; FA; CCDCLCSWRPWPDTLOCRSDRCWDWO ;;; WD)
S: - 表示这是一个SACL
AU - 表示这是一个审计条目
FA - 表示访问对象的失败尝试应审计
WD - 控制其失败尝试应该被审计;所有人SID
CCDCLCSWRPWPDTLOCRSDRCWDWO - 审核的访问尝试类型
- 似乎包括适用于服务的所有权利
所以基本上只是说审计所有失败的尝试访问此服务。
应该可以显着简化这些权限,例如,通过删除拒绝权限覆盖的所有允许权限。事实上,你真正需要的唯一访问权限似乎是本地系统的SERVICE_START和SERVICE_QUERY权限,甚至可能没有。 : - )
另一方面,权限的复杂性并不重要,因此在测试更改时可能不值得。 / p>
PS:要恢复默认权限,您可以说:
sc sdset myservice D:(A ;; CCLCSWRPWPDTLOCRRC ;;; SY)(A ;; CCDCLCSWRPWPDTLOCRSDRCWDWO ;;; BA)(A ;; CCLCSWLOCRRC ;;; IU)(A ;; CCLCSWLOCRRC ;;; SU)S:(AU; FA; CCDCLCSWRPWPDTLOCRSDRCWDWO ;; WD)
I know a legitimate Windows Application, a parental control software, that install as a service, but the service is not listed in the service list, the list you see in services.msc.
It is listed in the task manager, though, but not in the server list.
I know it is a server, because it is in the Registry section with all the rest of the services, however, the services.msc console won't list it.
I've researched for days without an answer.
I found this similar question, but in the answers they recommend complicated routs like writing a device driver: How to hide windows service from task manager in windows desktop
However, these guys made it with a service. How do they did it?
This are the Registry Keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):22,00 "DisplayName"="Some display name" "ObjectName"="LocalSystem" "Description"="Some description" "FailureActions"=hex:00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv\Security] "Security"=hex:01,00Some binary content was truncated for readability.
This is on Windows 7 32bits.
Following Harry Jonhston advice:
**sc sdshow "ThatTrickySoftware"** D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;; ;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)So, well, this was expected I guess, though it is not listed as a service, and it runs as a service, because it is automatically started by Windows, but there's no clue anywhere could Windows be running this application.
Also, note, the executable is listed in the Process tabs in the TaskManager, however, it is unbreakable, I can't kill it, it just nothing happens if I try to kill the process.
解决方案OK, I can reproduce this behaviour: by giving a service the same permissions as those of the mystery service, I can make it disappear from the list in services.msc.
sc sdset myservice D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)So it's all down to the permissions.
OK, let's expand out that security descriptor string. This is a bit tricky because the mapping between the SDDL permissions and equivalent security manager permissions does not appear to be well documented in MSDN or in the SDK headers; luckily, Wayne Martin has already done the heavy lifting for us and posted the results in the blog entry Service Control Manager Security for non-admins.
D: - this part is the DACL, the permissions on the service.Deny entries always come first, which also means they take precedence over the allow entries:
(D;;DCLCWPDTSD;;;IU) - deny (D) interactive users (IU) the following rights: DC - SERVICE_CHANGE_CONFIG (the right to change the service configuration) LC - SERVICE_QUERY_STATUS (the right to query the service status) WP - SERVICE_STOP (the right to stop the service) DT - SERVICE_PAUSE_CONTINUE (the right to pause and continue the service) SD - DELETE (the right to delete the service) (D;;DCLCWPDTSD;;;SU) - deny services (SU) the same set of rights as above (D;;DCLCWPDTSD;;;BA) - deny the Administrators group (BA) the same as aboveThe allow entries are just the same as the default permissions. (They are in a different order, but the order of allow entries is not significant.)
(A;;CCLCSWLOCRRC;;;IU) - allow the interactive user the following rights: CC - SERVICE_QUERY_CONFIG (the right to query the service configuration) LC - overridden by the deny entry SW - SERVICE_ENUMERATE_DEPENDENTS (the right to see service dependencies) LO - SERVICE_INTERROGATE (the right to send SERVICE_CONTROL_INTERROGATE) CR - SERVICE_USER_DEFINED_CONTROL (the right to send a user defined control) RC - READ_CONTROL (the right to see the permissions) (A;;CCLCSWLOCRRC;;;SU) - allow services the following rights: same as for the interactive user (A;;CCLCSWRPWPDTLOCRRC;;;SY) - allow local system the following rights: same as for the interactive user, plus: RP - SERVICE_START (the right to start the service) WP - overridden by the deny entry for BA DT - overridden by the deny entry for BA (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) - allow the Administrators group: same as for local system, plus: DC - overridden by the deny entry LC - overridden by the deny entry SW - overridden by the deny entry SD - overridden by the deny entry WD - WRITE_DAC (permission to change the permissions) WO - WRITE_OWNER (permission to take ownership)Finally, we have the SACL. This is also unchanged from the default for a service.
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) S: - indicates that this is a SACL AU - indicates that this is an audit entry FA - indicates that failed attempts to access the object should be audited WD - controls whose failed attempts should be audited; the Everyone SID CCDCLCSWRPWPDTLOCRSDRCWDWO - the kinds of access attempts to audit - appears to include every right that applies to servicesSo basically that just says "audit all failed attempts to access this service".
It should be possible to significantly simplify those permissions, e.g., by removing all the allow permissions that are overridden by the deny permissions. In fact, it seems likely the only access permission you would really need is SERVICE_START and perhaps SERVICE_QUERY permission for local system, and maybe not even those. :-)
On the other hand, the complexity of the permissions doesn't really matter, so it probably isn't worth the effort involved in testing the changes.
PS: to restore the default permissions you can say:
sc sdset myservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
这篇关于如何注册一个Windows服务,但避免它列在服务控制台?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
