1 / 88

Windows Internals 4th Chapter 4 (continued)

Windows Internals 4th Chapter 4 (continued). Team 6 Service ~ Startup Errors 945002086 洪健惟 Accepting the Boot and Last Known Good ~ Service Control Program 945002089 李家豪 Windows Management Instrumentation ~ the Managed Object Format Language 945002101 張凱翔

cgibbs
Download Presentation

Windows Internals 4th Chapter 4 (continued)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Internals 4thChapter 4 (continued) Team 6 Service ~ Startup Errors 945002086 洪健惟 Accepting the Boot and Last Known Good ~ Service Control Program 945002089 李家豪 Windows Management Instrumentation ~ the Managed Object Format Language945002101 張凱翔 The WMI Namespace ~ Conclusion 93502105 廖凡磊

  2. Windows Internals 4thService ~ Startup Errors Service p.211 Service Applications p.212 Service Accounts p.217 The Service Control Manager p.223 Service Startup p.225 Startup Errors p.229

  3. What is Service • Processes start at system startup time that provide services to any user • Include services and device drivers • Similar to UNIX daemon processes • Ex : Web Server

  4. Service Component • Service Application • Consist of at least one executable that runs as a Windows service • Service Control Program ( SCP ) • Used to start , stop , or configure a service • Service Control Manager ( SCM ) • Manage Service Control Program ( SCP ) • \Windows\system32\services.exe

  5. Service Component ( cont. ) Service Application Service Control Program ( SCP ) Service Control Manager ( SCM )

  6. Service Accounts • It dictates what resources the process can access • In service’s registry , ObjectName value decide which account service use to run • Four types in Windows XP • Local System Account • Network Service Account • Local Service Account • Alternate Account ( User-defined )

  7. Service Accounts ( cont. ) Windows NT series Windows 95 Windows 98 Windows Me Local System Account Domain User Account Local System Account Windows 2000 Windows XP Windows Server 2003 Local System Account Network Service Account Local Service Account

  8. Service Accounts ( cont. )

  9. Service Accounts ( cont. )

  10. Local System Account • Most services run in this account • Core Windows user-mode operating system components use this account • Session Manager ( Smss.exe ) • Windows subsystem process ( Csrss.exe ) • local security authority subsystem ( Lsass.exe ) • Winlogon process ( Winlogon.exe ) • All in \Windows\system32\

  11. Local System Account ( cont. ) • It is a member of the local administrators group ( Table 4-8 ) • It has the right to enable virtually every privilege ( Table 4-9 ) ( Chapter 8 describes the use of each privilege ) • Can full access most files and registry keys

  12. Local System Account ( cont. ) • Run with the default user profile in HKU\.DEFAULT • When a system is a member of a Windows domain , the service will be automatically authenticated on other machines . • Can specify the shares and pipes on a particular computer that permit null sessions

  13. Network Service Account • Is intended for used by services that wish to authenticate to other machines on the network • Difference to local system account : • Less privileges ( Ex : Can’t access device driver ) • Use the network service account’s profile in HKU\S-1-5-20 which is load from \Documents and Settings\NetworkService • Ex : DNS client

  14. Local Service Account • Virtually identical to network service account • Difference to network service account : • Only can access network resources that allow anonymous access • Use the local service account’s profile in HKU\S-1-5-19 which is load from \Documents and Settings\LocalService • Ex : Remote Registry Service 、 Alerter Service 、 LmHost Service

  15. Alternate Account • Because of the restrictions just outlined , some services need to run with the security credentials of a user account • Can configure in Windows Services MMC : Services snap-in → right-click on a service → select Properties → Log On tab → This Account option ( Figure 4-10 )

  16. Alternate Account ( cont. )

  17. Interactive Services • Another restriction for services running under the local system , local service , and network service accounts is that they can’t display dialog boxes or windows on the interactive user’s desktop . • This limitation is a consequence of the way Windows subsystem assigns service processes to window stations.

  18. Interactive Services ( cont. ) Terminal Service Environment

  19. Interactive Services ( cont. ) Terminal Service Environment …… Console Session ( 0 ) Session 1 Session N

  20. Interactive Services ( cont. ) Terminal Service Environment …… Console Session ( 0 ) Session 1 Session N Windows Station Windows Station Windows Station Windows Station

  21. Interactive Services ( cont. ) Terminal Service Environment …… Console Session ( 0 ) Session 1 Session N Windows Station Windows Station Windows Station Windows Station Desktop

  22. Interactive Services ( cont. ) Console Session ( Session 0 ) WinSta0 Service-0x0-3e7$ Service-0x0-X$ X is logon identifier Visible All interactive processes Invisible Service run with local system account Invisible Service run with other accounts

  23. Interactive Services ( cont. )

  24. Interactive Services ( cont. ) • Since services aren’t running on the visible window station , they can’t receive input from a user or display windows on the console • Exception : • Special flag is set on MessageBox call : • MB_SERVICE_NOTIFICATION : message boxwill always display at interactive windows ( forced ) • MB_DEFAULT_DESKTOP_ONLY : message boxwill display on default desktop of the interactive window station

  25. Interactive Services ( cont. ) • Set service Type registry value as 「SERVICE_INTERACTIVE_PROCESS」 : • It must be run without user-defined account • SCM will associate the service with WinSta0 rather than other non-interactive windows station • However , Microsoft discourages running interactive services , especially in the local system account

  26. Install New Service Application call CreateService in Advapi32.dll and tell SCM

  27. Install New Service ( cont. ) SC_HANDLE WINAPI CreateService ( __in SC_HANDLE hSCManager, __in LPCTSTR lpServiceName, __in_opt LPCTSTR lpDisplayName, __in DWORD dwDesiredAccess, __in DWORD dwServiceType, __in DWORD dwStartType, __in DWORD dwErrorControl, __in_opt LPCTSTR lpBinaryPathName, //error in textbook p.212 __in_opt LPCTSTR lpLoadOrderGroup, __out_opt LPDWORD lpdwTagId, __in_opt LPCTSTR lpDependencies, __in_opt LPCTSTR lpServiceStartName, __in_opt LPCTSTR lpPassword );

  28. Install New Service Application call CreateService in Advapi32.dll and tell SCM

  29. Install New Service ( cont. ) Application call CreateService in Advapi32.dll and tell SCM SCM create and define a new registry key under HKLM\SYSTEM\CurrentControlSet\Services

  30. Install New Service ( cont. )

  31. Install New Service ( cont. )

  32. Install New Service ( cont. )

  33. Install New Service ( cont. ) Application call CreateService in Advapi32.dll and tell SCM SCM create and define a new registry key under HKLM\SYSTEM\CurrentControlSet\Services

  34. Install New Service ( cont. ) Application call CreateService in Advapi32.dll and tell SCM SCM create and define a new registry key under HKLM\SYSTEM\CurrentControlSet\Services Application use StartSevice function or ask user to reboot the system to initialize service when start-up

  35. Install New Service ( cont. ) • If a service needs to store configuration information that is private to the service , the convention is to create a subkey named Parameters under its service key and then store the configuration information in values under that Parameters subkey • SCM only access Parameters when the service is to be deleted

  36. SrvAny Tool • If you have a program that you want to run as a service , you need to modify the startup code to conform to the requirements for services • You can use the SrvAny tool in the Windows Resource Kits . SrvAny enables you to run any application as a service • SrvAny don’t have share-process Type value

  37. SrvAny Tool ( cont. ) A program want to start as service through SrvAny

  38. SrvAny Tool ( cont. ) A program want to start as service through SrvAny SrvAny start , tell SCM SrvAny is hosting a particular service

  39. SrvAny Tool ( cont. ) A program want to start as service through SrvAny SrvAny start , tell SCM SrvAny is hosting a particular service SCM send start-up command to SrvAny

  40. SrvAny Tool ( cont. ) A program want to start as service through SrvAny SrvAny start , tell SCM SrvAny is hosting a particular service SCM send start-up command to SrvAny SrvAny start program as child process , give program a copy of SrvAny’s access token and a reference to the same Windows Station

  41. Start a Service • Install a new Service • Initialize the Service Control Manager ( SCM ) and Local Security Authority Subsystem ( LSASS ) • Service Control Manager ( SCM ) start a service

  42. Initialize Service Control Manager I/O Manager load boot-start and system-start to \Driver

  43. Initialize Service Control Manager ( cont. ) I/O Manager load boot-start and system-start to \Driver Winlogon.exe start SCM and LSASS

  44. Initialize Service Control Manager ( cont. ) I/O Manager load boot-start and system-start to \Driver Winlogon.exe start SCM and LSASS SvcCtrlMain create non-signaled SvcCtrlEvent_A3752DX and call ScCreateServiceDB

  45. Initialize Service Control Manager ( cont. ) I/O Manager load boot-start and system-start to \Driver Winlogon.exe start SCM and LSASS SvcCtrlMain create non-signaled SvcCtrlEvent_A3752DX and call ScCreateServiceDB ScCreateServiceDB load HKLM\SYSTEM \CurrentControllSet\Control\ServiceGroupOrder\List to service database

  46. Initialize Service Control Manager ( cont. )

  47. Initialize Service Control Manager ( cont. ) ScCreateServiceDB load HKLM\SYSTEM \CurrentControllSet\Control\ServiceGroupOrder\List to service database ScCreateServiceDB load and associate HKLM \SYSTEM\CurrentControllSet\Services to service database

  48. Initialize Service Control Manager ( cont. ) ScCreateServiceDB load HKLM\SYSTEM \CurrentControllSet\Control\ServiceGroupOrder\List to service database ScCreateServiceDB load and associate HKLM \SYSTEM\CurrentControllSet\Services to service database SvcCtrlMain call ScGetBootAndSystemDriverState to save driver name to ScFailedDrivers by PnP_DeviceList

  49. Initialize Service Control Manager ( cont. )

  50. Initialize Service Control Manager ( cont. ) SvcCtrlMain call ScGetBootAndSystemDriverState to save driver name to ScFailedDrivers by PnP_DeviceList SCM register shutdown handler for console application and SCM itself

More Related