Introduction
Windows Services allow for the creation of continuously running executable applications. These applications have the ability to be automatically started upon booting, they may be paused and restarted, and they lack a user interface.
In order for a service to function properly, it needs to be associated with a system or user account. There are a few common built-in system accounts that are used to operate services such as LocalService, NetworkService, and LocalSystem. The following table describes the default secure access rights for accounts on a Windows system:
| Account | Permissions |
|---|---|
| Local Authenticated Users (including LocalService and Network Service) | READ_CONTROLSERVICE_ENUMERATE DEPENDENTS SERVICE_INTERROGATE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_USER_DEFINED_CONTROL |
| Remote Authenticated Users | Same as those for Local Authenitcated Users. |
LocalSystem | READ_CONTROL SERVICE_ENUMERATE DEPENDENTS SERVICE_INTERROGATE SERVICE_PAUSE_CONTINUE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_START SERVICE_STOP SERVICE_USER_DEFINED_CONTROL |
| Administrators | DELETE READ_CONTROL SERVICE_ALL_ACCESS WRITE_DAC WRITE_OWNER |
Moreover, a registry entry exists for each service in HKLM\SYSTEM\CurrentControlSet\Services.
Enumeration
In general, manual enumeration of Windows services is a rather cumbersome process, so I suggest that you use a tool for automation such as WinPEAS.
winpeas.exe servicesinfo
The permissions a user has on a specific service can be inspected via the AccessChk Windows Utility.
acceschk.exe /accepteula -uwcqv <account> <service>