This document provides an introduction to managing processes and services in the Windows operating system. It discusses how services can be configured to start automatically or manually at boot up using the Services snap-in or SC command. It also covers how to view running processes with Tasklist and kill processes using Taskkill or WMIC. Managing processes and services from the command line allows for scripting and bulk operations compared to the graphical user interface.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0%(1)0% found this document useful (1 vote)
88 views26 pages
CyberAces Module1-Windows 9 ServicesAndProcesses
This document provides an introduction to managing processes and services in the Windows operating system. It discusses how services can be configured to start automatically or manually at boot up using the Services snap-in or SC command. It also covers how to view running processes with Tasklist and kill processes using Taskkill or WMIC. Managing processes and services from the command line allows for scripting and bulk operations compared to the graphical user interface.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26
Welcome to Cyber Aces Online, Module 1!
A firm understanding of operating
systems is essential to being able to secure or attack one. This module dives in to Microsoft Windows Operating System. This training material was originally developed to help students, teachers, and mentors prepare for the Cyber Aces Online Competition. This module focuses on the basics of what an operating systems is as well as the two predominant OS's, Windows and Linux. This session is part of Module 1, Introduction to Operating Systems. This module is split into two sections, Linux and Windows. In this session, we will continue our examination of Windows. The three modules of Cyber Aces Online are Operating Systems, Networking, and System Administration. For more information about the Cyber Aces program, please visit the Cyber Aces website at https://CyberAces.org/. In this session we will discuss Windows services and processes. Software installed on the system is typically configured to run one of two ways: it can be executed as an interactive user process, or it can run in the background as a service. Services are run in the background and can be configured to start automatically after the system has booted. Services can be managed several ways. Most users manage services using the "SERVICES.MSC" MMC snap-in (Start -> Run, type "services.msc", hit enter). Services can also be started, stopped or queried using the NET command from the command line. View all services: net start Start the Print Spooler service: net start "print spooler" Stop the Print Spooler service: net stop "print spooler" But the most powerful interface to manage Windows services is the command line based Services Controller utility "SC.EXE" Windows Services Startup Windows Services can be set to various start-up modes, including preventing the service from starting at all. The startup options are: Automatic – Starts after boot Manual – Starts only when required or called by another service or application Disabled – Will not run, even if another service attempts to start it Automatic (Delayed) – Starts after boot is completed in order to prevent high load during boot. This option was added with Windows Vista. The SC command can be used to create, stop, start, query, modify or delete Windows services. For help on the command run: sc /? When using the SC command, you must use the service name, which is different from the display name. The service name is typically shorter, all lower case, and contains no spaces. The service name can be found via "sc query" or the Services snap-in. The Services Snap-in (Start -> Administrative Tools -> Services or Start -> Run, type "services.msc", hit enter) is the GUI front end for Windows services. The snap-in allows for services to be stopped, started, restarted (stop then start), or paused. This can be done by using the VCR controls shown in the menu, by right clicking on the service, or after double clicking on the service and using the control buttons. When a service is opened (double click or enter key) the service name is visible. This name is important for command line interaction with the service. Microsoft offers full documentation on the command here: https://www.redsiege.com/ca/sc The “start” type for a service supports the following options: • boot: A device driver that is loaded by the boot loader. • system: A device driver that is started during kernel initialization. • auto: A service that automatically starts each time the computer is restarted and runs even if no one logs on to the computer. • demand: A service that must be manually started. This is the default value if start= is not specified. • disabled: A service that cannot be started. To start a disabled service, change the start type to some other value. Which of the following commands can be used to determine the full path and parameters that are used to start the WebClient service? sc query CMD WebClient sc qc WebClient sc query WebClient sc query all WebClient There are many ways to start and stop services on Windows. Which of the following commands is NOT a valid way to start the WebClient service? wmic service where name="WebClient" call StartService service WebClient start net start WebClient sc start WebClient Which of the following commands can be used to determine the full path and parameters that are used to start the WebClient service? sc qc WebClient The "qc" option, short for query configuration, must be used to view the full path There are many ways to start and stop services on Windows. Which of the following commands is NOT a valid way to start the WebClient service? service WebClient start All the other commands will start the WebClient service What is the “service name” of the “Plug and Play” service? You can look in the GUI for this as you will need it to complete the tasks below: Complete these steps via the command line: Stop the service Disable the service Attempt to start the service Enable the service Start the service You will need an elevated shell to perform these tasks. Search for “cmd”, right click on Command Prompt, Run as Administrator. STOP! On the next few pages are the answers Feel free to look ahead if you need help completing the task The "Plug and Play" service name is "plugplay". Stop the service: sc stop plugplay Disable the service: sc config plugplay start= disabled Attempt to start the service (will fail since it is disabled): sc start plugplay Enable the service: sc config plugplay start= demand Start the service: sc start plugplay Unlike services, Applications usually interact with the user, but they don't have to run visibly on the screen or show up on the start bar. Windows provides the user with several ways to manage running applications. From the GUI, users can use TASK MANAGER to monitor, start and kill applications. At the command line, TASKLIST.EXE and its partner TASKKILL.EXE can monitor or kill tasks. WMIC, a command line power- house, also boasts the ability to control processes among its many other uses. The tasklist and taskkill commands are mentioned earlier in the basic commands section. From the command line, you have several options for controlling running process lists. TASKKILL.EXE can kill applications based upon their Process ID Number (PID) or the name of the executable. "WMIC" can also be used to manage tasks from the command line. One significant advantage to using the command line version of tools is that they can be scripted and run quickly. It is not uncommon for malicious code to launch several copies of malicious processes. Those processes monitor the other processes to make sure they are still running. If any of the malicious processes notices the other process has stopped, they re-launch the process. So to kill all the copies of the malicious code, you have to kill them all at the same time. This is impossible to do using the GUI based Task Manager. The Tasklist command (without any additional options) will list the processes that are running on the system. The tasklist command can be used to look for a specific proceses, by name C:\> tasklist /fi "imagename eq calc.exe" Or by process ID C:\> tasklist /fi "pid eq 3088" The taskkill command can kill processes based on the process ID (PID), name, and other criteria (see the help page for more details). C:\> taskkill /PID 605 C:\> tasklist /fi "pid eq 3088" To loop and kill processes based on user, name, executable path and other methods check out: https://redsiege.com/ca/tasks When it comes to managing processes from the command line, TASKLIST is not the only sheriff in town. Processes, like most aspects of the Windows Operating System, can also be controlled at the command line with the WMIC command. In this section, we will focus on using WMIC to manage processes, but WMIC is a very powerful tool and can do much much more. WMIC Intro Guide: https://redsiege.com/ca/wmic The WMIC command can be used to run commands on remote systems. It requires the correct permissions and the appropriate credentials. The /node switch can be used to connect to a remote system. You can specify the remote host by name: C:\> wmic /node:servername process call create calc.exe By IP address: C:\> wmic /node:4.5.6.7 process call create calc.exe Or a list of IP addresses and/or names in a text file: C:\> wmic /node:@list.txt process call create calc.exe These commands will authenticate to the remote system as the currently logged in user. You can specify a specific user and password with the /user and /password switches respectively: C:\> wmic /node:someserver /user:curly /password:"myP@55w0rD" process call create calc.exe The user can be a domain user by specifying the domain as part of the username: C:\> wmic /node:someserver /user:mydomain\curly /password:"myP@55w0rD" process call create calc.exe Applications can be run interactively by the user, but they can also be scheduled to run at specific intervals. Scheduled tasks can be triggered by the date and time or by events that occur in the operating system. For example, you can schedule your antivirus software to scan your computer every night at 9:00 pm. Or, you could setup a scheduled task to send you an email every time the EventLog records someone has logged into the system. Tasks can be scheduled through the GUI using the "Task Scheduler" which is located in "Control Panel" à "Administrative Tools" à "Task Scheduler". You can also manage tasks through "SCHTASKS" and, before Windows 8, the "AT" command. Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. Running Schtasks.exe without arguments displays the status and next run time for each registered task. The most common available options for schtasks are: • /Run – run the specified task • /End – stops a currently running task • /Create – create a new scheduled task • /Delete – delete an existing task • /Query – display all scheduled tasks • /Change – modify and existing scheduled task Creating a task allows us to specify the user/password to create the task as, as well as credentials the task should run under. The options also allow us to schedule more granularly than the AT command. See the help page for additional details on scheduling. An attacker launches a new CMD.EXE processes on your box every few minutes. You want to stop him, but you need the CMD.EXE process open to defend your system. Kill the CMD.EXE processes Open one command prompt and note its process ID. Then open two more. Your goal is to close all the command prompts that are NOT yours. You may want to write this in notepad and paste in case you kill the wrong windows You have a nasty piece of malware on your system. The malware has processes running named "bd01.exe" "bd02.exe" "bd03.exe". Every time you kill a single process two more appear. All the malware is named "BDxx.exe" where xx is a number. Kill all of these processes! Simulate this by copying C:\Windows\System32\cmd.exe to your desktop and renaming it Hint: The % is a wildcard STOP! On the next few pages are the answers Feel free to look ahead if you need help completing the task An attacker launches a new CMD.EXE processes on your box every few minutes. You want to stop him, but you need the CMD.EXE process open to defend your system. You know that YOUR CMD.EXE has a process id of 1234. Write a command to kill all other CMD.EXE processes while keeping your own. wmic process where (name="cmd.exe" and processid != 1234) delete This command will kill processes with the name "cmd.exe" and that do not have a process ID of 1234, which will terminate all "cmd.exe" processes except yours You have a nasty piece of malware on your system. The malware has processes running named "bd01.exe" "bd02.exe" "bd03.exe". Every time you kill a single process two more appear. All the malware is named "BDxx.exe" where xx is a number. Which wmic command can be used to kill all of the backdoors at the same time? wmic process where (name like "bd%") delete The percent sign (%) is used as a wildcard character and will match any process name starting with "bd" The Windows Operating system is often in the cross hairs of today's attackers. Microsoft has responded by adding a large number of security features to the operating system and we have only briefly touched on a few of them here. Here are just a few additional references for your exploration: https://www.redsiege.com/ca/mssecurity https://www.redsiege.com/ca/sanssecurity https://www.redsiege.com/ca/darknetsecurity You have successfully completed the session on Windows services and processes. This concludes module one, Introduction to Operating Systems. You have just completed the portion on Windows. In the next module, we will discuss networking.