Introduction

Windows Services allow for the creation of continuously running executable applications. These applications have the ability to be automatically started upon booting, they may be paused and restarted, and they lack a user interface.

In order for a service to function properly, it needs to be associated with a system or user account. There are a few common built-in system accounts that are used to operate services such as LocalService, NetworkService, and LocalSystem. The following table describes the default secure access rights for accounts on a Windows system:

Account Permissions
Local Authenticated Users
(including LocalService and Network Service)
READ_CONTROL
SERVICE_ENUMERATE DEPENDENTS
SERVICE_INTERROGATE
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS
SERVICE_USER_DEFINED_CONTROL
Remote Authenticated Users Same as those for Local Authenitcated Users.
LocalSystem READ_CONTROL
SERVICE_ENUMERATE DEPENDENTS
SERVICE_INTERROGATE
SERVICE_PAUSE_CONTINUE
SERVICE_QUERY_CONFIG
SERVICE_QUERY_STATUS
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
Administrators DELETE
READ_CONTROL
SERVICE_ALL_ACCESS
WRITE_DAC
WRITE_OWNER

Moreover, a registry entry exists for each service in HKLM\SYSTEM\CurrentControlSet\Services.

Enumeration

In general, manual enumeration of Windows services is a rather cumbersome process, so I suggest that you use a tool for automation such as WinPEAS.

winpeas.exe servicesinfo

The permissions a user has on a specific service can be inspected via the AccessChk Windows Utility.

acceschk.exe /accepteula -uwcqv <account> <service>