Service Exploits

Common windows service exploitation techniques

What are services?

Windows services are specialized programs that run in the background and provide core operating system functions or extended capabilities to applications and users. They start automatically during system boot or on demand and often run with elevated privileges, enabling them to operate regardless of user sessions.

Key Characteristics

• Automatic and Background Operation: Services can be set to start automatically, manually, or be disabled. They continue to run even if no user is logged in.

• Managed by Service Control Manager: Windows uses the Service Control Manager (SCM) to manage the lifecycle of services (start, stop, pause, resume).

• Security Context: Services can run under various accounts, such as LocalSystem, NetworkService, LocalService, or custom user/service accounts, affecting their permissions and network access.

• Examples:

  • Print Spooler (handles printing jobs)

  • Windows Update (manages system updates)

  • DHCP Client (obtains and manages IP addresses)