1. Windows Internals 4th Chapter 4 (continued) Team 6 Service ~ Startup Errors 945002086 洪健惟 Accepting the Boot and Last Known Good ~ Service Control Program 945002089 李家豪 Windows Management Instrumentation ~ the Managed Object Format Language 945002101 張凱翔 The WMI Namespace ~ Conclusion 93502105 廖凡磊

2. Servicep.211 Service Applicationsp.212 Service Accountsp.217 The Service Control Managerp.223 Service Startupp.225 Startup Errorsp.229 Windows Internals 4th Service ~ Startup Errors

3. What is Service Processes start at system startup time that provide services to any user Include services and device drivers Similar to UNIX daemon processes Ex : Web Server

4. Service Component Service Application –Consist of at least one executable that runs as a Windows service Service Control Program ( SCP ) –Used to start, stop, or configure a service Service Control Manager ( SCM ) –Manage Service Control Program ( SCP ) –\Windows\system32\services.exe

5. Service Component ( cont. ) Service Application Service Control Program ( SCP ) Service Control Manager ( SCM )

6. Service Accounts It dictates what resources the process can access In service ’ s registry, ObjectName value decide which account service use to run Four types in Windows XP –Local System Account –Network Service Account –Local Service Account –Alternate Account ( User-defined )

7. Service Accounts ( cont. ) Windows NT series Windows 95 Windows 98 Windows Me Windows 2000 Windows XP Windows Server 2003 Local System Account Domain User Account Local System Account Local System Account Network Service Account Local Service Account

8. Service Accounts ( cont. )

10. Local System Account Most services run in this account Core Windows user-mode operating system components use this account –Session Manager ( Smss.exe ) –Windows subsystem process ( Csrss.exe ) –local security authority subsystem ( Lsass.exe ) –Winlogon process ( Winlogon.exe ) –All in \Windows\system32\

11. Local System Account ( cont. ) It is a member of the local administrators group ( Table 4-8 ) It has the right to enable virtually every privilege ( Table 4-9 ) ( Chapter 8 describes the use of each privilege ) Can full access most files and registry keys

12. Local System Account ( cont. ) Run with the default user profile in HKU\.DEFAULT When a system is a member of a Windows domain, the service will be automatically authenticated on other machines. Can specify the shares and pipes on a particular computer that permit null sessions

13. Network Service Account Is intended for used by services that wish to authenticate to other machines on the network Difference to local system account : –Less privileges ( Ex : Can ’ t access device driver ) –Use the network service account ’ s profile in HKU\S-1-5-20 which is load from \Documents and Settings\NetworkService Ex : DNS client

14. Local Service Account Virtually identical to network service account Difference to network service account : –Only can access network resources that allow anonymous access –Use the local service account ’ s profile in HKU\S-1-5-19 which is load from \Documents and Settings\LocalService Ex : Remote Registry Service 、 Alerter Service 、 LmHost Service

15. Alternate Account Because of the restrictions just outlined, some services need to run with the security credentials of a user account Can configure in Windows Services MMC : Services snap-in → right-click on a service → select Properties → Log On tab → This Account option ( Figure 4-10 )

16. Alternate Account ( cont. )

17. Interactive Services Another restriction for services running under the local system, local service, and network service accounts is that they can ’ t display dialog boxes or windows on the interactive user ’ s desktop. This limitation is a consequence of the way Windows subsystem assigns service processes to window stations.

18. Interactive Services ( cont. ) Terminal Service Environment

19. Interactive Services ( cont. ) Terminal Service Environment …… Console Session ( 0 )Session 1Session N

20. Interactive Services ( cont. ) Terminal Service Environment …… Console Session ( 0 )Session 1Session N Windows Station

21. Interactive Services ( cont. ) Terminal Service Environment …… Console Session ( 0 )Session 1Session N Windows Station Desktop

22. Interactive Services ( cont. ) Console Session ( Session 0 ) WinSta0Service-0x0-3e7$ Service-0x0-X$ X is logon identifier Visible All interactive processes Invisible Service run with local system account Invisible Service run with other accounts

23. Interactive Services ( cont. )

24. Since services aren ’ t running on the visible window station, they can ’ t receive input from a user or display windows on the console Exception : –Special flag is set on MessageBox call : MB_SERVICE_NOTIFICATION : message box will always display at interactive windows ( forced ) MB_DEFAULT_DESKTOP_ONLY : message box will display on default desktop of the interactive window station

25. Interactive Services ( cont. ) –Set service Type registry value as 「 SERVICE_INTERACTIVE_PROCESS 」 : It must be run without user-defined account SCM will associate the service with WinSta0 rather than other non-interactive windows station However, Microsoft discourages running interactive services, especially in the local system account

26. Install New Service Application call CreateService in Advapi32.dll and tell SCM

27. Install New Service ( cont. ) SC_HANDLE WINAPI CreateService ( __in SC_HANDLE hSCManager, __in LPCTSTR lpServiceName, __in_opt LPCTSTR lpDisplayName, __in DWORD dwDesiredAccess, __in DWORD dwServiceType, __in DWORD dwStartType, __in DWORD dwErrorControl, __in_opt LPCTSTR lpBinaryPathName,//error in textbook p.212 __in_opt LPCTSTR lpLoadOrderGroup, __out_opt LPDWORD lpdwTagId, __in_opt LPCTSTR lpDependencies, __in_opt LPCTSTR lpServiceStartName, __in_opt LPCTSTR lpPassword );

28. Install New Service Application call CreateService in Advapi32.dll and tell SCM

29. Install New Service ( cont. ) Application call CreateService in Advapi32.dll and tell SCM SCM create and define a new registry key under HKLM\SYSTEM\CurrentControlSet\Services

30. Install New Service ( cont. )

33. Application call CreateService in Advapi32.dll and tell SCM SCM create and define a new registry key under HKLM\SYSTEM\CurrentControlSet\Services

34. Install New Service ( cont. ) Application call CreateService in Advapi32.dll and tell SCM SCM create and define a new registry key under HKLM\SYSTEM\CurrentControlSet\Services Application use StartSevice function or ask user to reboot the system to initialize service when start-up

35. Install New Service ( cont. ) If a service needs to store configuration information that is private to the service, the convention is to create a subkey named Parameters under its service key and then store the configuration information in values under that Parameters subkey SCM only access Parameters when the service is to be deleted

36. SrvAny Tool If you have a program that you want to run as a service, you need to modify the startup code to conform to the requirements for services You can use the SrvAny tool in the Windows Resource Kits. SrvAny enables you to run any application as a service SrvAny don ’ t have share-process Type value

37. SrvAny Tool ( cont. ) A program want to start as service through SrvAny

38. SrvAny Tool ( cont. ) A program want to start as service through SrvAny SrvAny start, tell SCM SrvAny is hosting a particular service

39. SrvAny Tool ( cont. ) A program want to start as service through SrvAny SrvAny start, tell SCM SrvAny is hosting a particular service SCM send start-up command to SrvAny

40. SrvAny Tool ( cont. ) A program want to start as service through SrvAny SrvAny start, tell SCM SrvAny is hosting a particular service SCM send start-up command to SrvAny SrvAny start program as child process, give program a copy of SrvAny ’ s access token and a reference to the same Windows Station

41. Start a Service Install a new Service Initialize the Service Control Manager ( SCM ) and Local Security Authority Subsystem ( LSASS ) Service Control Manager ( SCM ) start a service

42. Initialize Service Control Manager I/O Manager load boot-start and system-start to \Driver

43. Initialize Service Control Manager ( cont. ) I/O Manager load boot-start and system-start to \Driver Winlogon.exe start SCM and LSASS

44. I/O Manager load boot-start and system-start to \Driver Winlogon.exe start SCM and LSASS SvcCtrlMain create non-signaled SvcCtrlEvent_A3752DX and call ScCreateServiceDB Initialize Service Control Manager ( cont. )

45. I/O Manager load boot-start and system-start to \Driver Winlogon.exe start SCM and LSASS SvcCtrlMain create non-signaled SvcCtrlEvent_A3752DX and call ScCreateServiceDB ScCreateServiceDB load HKLM\SYSTEM \CurrentControllSet\Control\ServiceGroupOrder\List to service database Initialize Service Control Manager ( cont. )

47. ScCreateServiceDB load HKLM\SYSTEM \CurrentControllSet\Control\ServiceGroupOrder\List to service database Initialize Service Control Manager ( cont. ) ScCreateServiceDB load and associate HKLM \SYSTEM\CurrentControllSet\Services to service database

48. ScCreateServiceDB load HKLM\SYSTEM \CurrentControllSet\Control\ServiceGroupOrder\List to service database Initialize Service Control Manager ( cont. ) ScCreateServiceDB load and associate HKLM \SYSTEM\CurrentControllSet\Services to service database SvcCtrlMain call ScGetBootAndSystemDriverState to save driver name to ScFailedDrivers by PnP_DeviceList

49. Initialize Service Control Manager ( cont. )

50. SvcCtrlMain call ScGetBootAndSystemDriverState to save driver name to ScFailedDrivers by PnP_DeviceList SCM register shutdown handler for console application and SCM itself

51. Initialize Service Control Manager ( cont. ) SvcCtrlMain call ScGetBootAndSystemDriverState to save driver name to ScFailedDrivers by PnP_DeviceList SCM register shutdown handler for console application and SCM itself SCM finished initialization. signaled ScvCtrlEvent_A3752DX

52. Start a Service Install a new Service Initialize the Service Control Manager ( SCM ) and Local Security Authority Subsystem ( LSASS ) Service Control Manager ( SCM ) start a service

53. SCM Start a Service SCM finished initialization. signaled ScvCtrlEvent_A3752DX SvcCtrlMain call ScAutoStartServices

54. SCM Start a Service ( cont. ) SvcCtrlMain call ScAutoStartServices ScAutoStartServices mark auto-start service in group SCM finished initialization. signaled ScvCtrlEvent_A3752DX

55. SCM Start a Service ( cont. ) SvcCtrlMain call ScAutoStartServices ScAutoStartServices mark auto-start service in group ScAutoStartServices check DependOnGroup SCM finished initialization. signaled ScvCtrlEvent_A3752DX

56. SCM Start a Service ( cont. ) SvcCtrlMain call ScAutoStartServices ScAutoStartServices mark auto-start service in group ScAutoStartServices check DependOnGroup ScAutoStartServices check DependOnService SCM finished initialization. signaled ScvCtrlEvent_A3752DX

57. SCM Start a Service ( cont. ) ScAutoStartServices check DependOnService ScAutoStartServices make final check

58. SCM Start a Service ( cont. ) ScAutoStartServices check DependOnService ScAutoStartServices make final check SCM call ScStartService to get ImagePath

59. SCM Start a Service ( cont. ) ScAutoStartServices check DependOnService ScAutoStartServices make final check SCM call ScStartService to get ImagePath Handle to Service ( must have ImagePath ) Handle to Device Driver ( ImagePath is optional )

60. SCM Start a Service ( cont. )

61. Handle to Device Driver ScStartService call ScLoadDeviceDriver

62. Handle to Device Driver ( cont. ) Handle to Device Driver ScStartService call ScLoadDeviceDriver ScLoadDeviceDriver enable SeLoadDriverPrivilege

63. Handle to Device Driver ( cont. )

64. Handle to Device Driver ScStartService call ScLoadDeviceDriver ScLoadDeviceDriver enable SeLoadDriverPrivilege Pass ImagePath to NtLoadDriver, End ( if no ImagePath, SCM create one at \Windows\system32\Drivers\ )

65. SCM Start a Service ScAutoStartServices check DependOnService ScAutoStartServices make final check SCM call ScStartService to get ImagePath Handle to Service ( must have ImagePath ) Handle to Device Driver ( ImagePath is optional )

66. Handle to Service SCM add ObjectName and ImagePath to image database

67. Handle to Service ( cont. )

69. Handle to Service SCM add ObjectName and ImagePath to image database user-defined accountsystem-defined account SCM call LsaLogonUser

70. NTSTATUS LsaLogonUser( __in HANDLE LsaHandle, __in PLSA_STRING OriginName, __in SECURITY_LOGON_TYPE LogonType, __in ULONG AuthenticationPackage, __in PVOID AuthenticationInformation, __in ULONG AuthenticationInformationLength, __in_opt PTOKEN_GROUPS LocalGroups, __in PTOKEN_SOURCE SourceContext, __out PVOID* ProfileBuffer, __out PULONG ProfileBufferLength, __out PLUID LogonId, __out PHANDLE Token, __out PQUOTA_LIMITS Quotas, __out PNTSTATUS SubStatus );

71. Handle to Service ( cont. ) Handle to Service SCM add ObjectName and ImagePath to image database user-defined accountsystem-defined account SCM call LsaLogonUser SCM load account information

72. Handle to Service ( cont. ) Handle to Service SCM add ObjectName and ImagePath to image database user-defined account system-defined account SCM call LsaLogonUser SCM load account information ScLogonAndStartImage check HKLM\SYSTEM \CurrentControlSet\Control\Windows\NonInteractive

73. Handle to Service ( cont. ) ScLogonAndStartImage check HKLM\SYSTEM \CurrentControlSet\Control\Windows\NonInteractive ScLogonAndStartImage launch service process if the service process hasn’t already been started

74. Handle to Service ( cont. ) SCM set state to suspend and call CreateProcessAsUser SCM Service

75. Handle to Service ( cont. ) SCM set state to suspend and call CreateProcessAsUser SCM Service SCM create pipe and set state to resume Service Process

76. Handle to Service ( cont. ) Service SCM wait for connect SCM set state to suspend and call CreateProcessAsUser SCM SCM create pipe and set state to resume Service Process StartServiceCtrlDispatcher wait for start command

77. Handle to Service ( cont. ) Service Service Process SCM wait for connect StartServiceCtrlDispatcher wait for start command SCM set state to suspend and call CreateProcessAsUser SCM SCM create pipe and set state to resume SCM send start command

78. Handle to Service ( cont. ) Service Service Process SCM wait for connect StartServiceCtrlDispatcher wait for start command SCM set state to suspend and call CreateProcessAsUser SCM SCM create pipe and set state to resume SCM send start command StartServiceCtrlDispatcher start initialize and report status periodically SCM keep listen to pipe and start another service

79. Handle to Service ( cont. )

80. BOOL WINAPI StartServiceCtrlDispatcher ( __in const SERVICE_TABLE_ENTRY lpServiceTable ); SERVICE_STATUS_HANDLE WINAPI RegisterServiceCtrlHandler ( __in LPCTSTR lpServiceName, __in LPHANDLER_FUNCTION lpHandlerProc );

81. Organized Key Points

82. Organized Key Points ( cont. ) Install a new service

83. Organized Key Points ( cont. ) Install a new service SCM and LSASS initialization

84. Organized Key Points ( cont. ) Install a new service SCM and LSASS initialization SCM start service process in the order of List

85. Organized Key Points ( cont. ) Install a new service SCM and LSASS initialization SCM start service process in the order of List SCM start service in service process

86. Organized Key Points ( cont. ) Install a new service SCM and LSASS initialization SCM start service process in the order of List SCM start service in service process SCM start services which have group but not in List

87. Organized Key Points ( cont. ) Install a new service SCM and LSASS initialization SCM start service process in the order of List SCM start service in service process SCM start services which have group but not in List SCM start services which not belong to any group

88. Another Work of SCM When create / delete network drive-letter connection, broadcast to GUI application –By listen to Multiple Provider Router’s ( MPR ) signal event : \BaseNamedObjects\ScNetDrvMsg –Use GetDriveType to get new list of drive-letters –Compare with old one, if list changed, broadcast 「 WM_DEVICECHANGE 」 with subtype 「 DBT_DEVICEREMOVECOMPLETE 」 or 「 DBT_DEVICEARRIVAL 」