如何注册Windows服务但避免将其列在服务控制台中？

Question

我知道一个合法的Windows应用程序,一个家长控制软件,作为服务安装,但该服务未列在服务列表中,您在services.msc中看到的列表.

但它列在任务管理器中,但不在服务器列表中.

我知道它是一个服务器,因为它在Registry部分中包含所有其他服务,但是,services.msc控制台不会列出它.

我已经研究了几天没有回答.

我发现了类似的问题,但在答案中他们建议使用复杂的路径,例如编写设备驱动程序: 如何在Windows桌面上隐藏任务管理器的Windows服务

然而,这些家伙用服务做到了.他们是怎么做到的？

这是注册表项:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):22,00
"DisplayName"="Some display name"
"ObjectName"="LocalSystem"
"Description"="Some description"
"FailureActions"=hex:00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ThatTrickySoftwareSrv\Security]
"Security"=hex:01,00

为了便于阅读,一些二进制内容被截断.

这是在Windows 7 32位上.

遵循Harry Jonhston的建议:

**sc sdshow "ThatTrickySoftware"**
    D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;
;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

所以,我猜这是预期的,虽然它没有被列为服务,但它作为一项服务运行,因为它是由Windows自动启动的,但是没有任何线索可以让Windows运行这个应用程序.

另外,请注意,可执行文件列在TaskManager的Process选项卡中,但是,它是牢不可破的,我无法杀死它,如果我试图杀死进程,它就没有任何反应.

Answer 1

OK,我可以重现此问题:通过提供服务相同的权限与神秘的服务,我可以把它从SERVICES.MSC列表中消失.

sc sdset myservice D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

所以这完全取决于权限.

好的,让我们扩展出安全描述符字符串.这有点棘手,因为SDDL权限和等效的安全管理器权限之间的映射似乎没有在MSDN或SDK标头中详细记录; 幸运的是,Wayne Martin已经为我们完成了繁重的工作,并将结果发布在非管理员的博客条目Service Control Manager Security中.

D: - this part is the DACL, the permissions on the service.

拒绝条目始终排在第一位,这也意味着它们优先于允许条目:

(D;;DCLCWPDTSD;;;IU) - deny (D) interactive users (IU) the following rights:
  DC - SERVICE_CHANGE_CONFIG (the right to change the service configuration)
  LC - SERVICE_QUERY_STATUS (the right to query the service status)
  WP - SERVICE_STOP (the right to stop the service)
  DT - SERVICE_PAUSE_CONTINUE (the right to pause and continue the service)
  SD - DELETE (the right to delete the service)
(D;;DCLCWPDTSD;;;SU) - deny services (SU) the same set of rights as above
(D;;DCLCWPDTSD;;;BA) - deny the Administrators group (BA) the same as above

允许条目与默认权限相同.(它们的顺序不同,但允许条目的顺序并不重要.)

(A;;CCLCSWLOCRRC;;;IU) - allow the interactive user the following rights:
  CC - SERVICE_QUERY_CONFIG (the right to query the service configuration)
  LC - overridden by the deny entry
  SW - SERVICE_ENUMERATE_DEPENDENTS (the right to see service dependencies)
  LO - SERVICE_INTERROGATE (the right to send SERVICE_CONTROL_INTERROGATE)
  CR - SERVICE_USER_DEFINED_CONTROL (the right to send a user defined control)
  RC - READ_CONTROL (the right to see the permissions)
(A;;CCLCSWLOCRRC;;;SU) - allow services the following rights:
   same as for the interactive user
(A;;CCLCSWRPWPDTLOCRRC;;;SY) - allow local system the following rights:
   same as for the interactive user, plus:       
   RP - SERVICE_START (the right to start the service)
   WP - overridden by the deny entry for BA
   DT - overridden by the deny entry for BA
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) - allow the Administrators group:
   same as for local system, plus:
   DC - overridden by the deny entry
   LC - overridden by the deny entry
   SW - overridden by the deny entry
   SD - overridden by the deny entry
   WD - WRITE_DAC (permission to change the permissions)
   WO - WRITE_OWNER (permission to take ownership)

最后,我们有SACL.这与服务的默认值相同.

S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  S: - indicates that this is a SACL
  AU - indicates that this is an audit entry
  FA - indicates that failed attempts to access the object should be audited
  WD - controls whose failed attempts should be audited; the Everyone SID
  CCDCLCSWRPWPDTLOCRSDRCWDWO - the kinds of access attempts to audit
    - appears to include every right that applies to services

所以基本上只是说"审计所有失败的尝试访问此服务".

应该可以显着简化这些权限,例如,通过删除被拒绝权限覆盖的所有允许权限.事实上,您可能真正需要的唯一访问权限可能是本地系统的SERVICE_START和SERVICE_QUERY权限,甚至可能不是那些.:-)

另一方面,权限的复杂性并不重要,因此测试更改可能不值得.

PS:要恢复默认权限,您可以说:

sc sdset myservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)