Talk about Win2K service
Create time: 2002-07-25
Article attribute: original
Article Source:
Www.opengram.com
Article submission:
Refdom (refDom_at_263.net)
Talk about Win2K service
Author: Refdom
Email: Refdom@263.net
Homepage:
Www.opengram.com
2002/7/25
I, summary
II, about Win2K service
III, service launch and closing basic procedure
IV, service programming
V, the security of the service
VI, service management
VII, end
I, summary
The service under Win NT is similar to the daemon's daemon below, and now more and more software begins to design a service form, after the XP is launched,
It is very effective to achieve multi-user switching through services.
From the security perspective to watch WIN's service, there is therefore there are many topics, such as run permissions, running time, etc.
This article introduces and talks about some things in WIN services, limited by level, and the content is not exquisite.
II, about Win2K service
Win32 Services consists of three parts: Service Application, Service Control Program (SCP), and Service Control Manager (SCM).
First, service control manager
Service Control Manager: Start when the system is started, it is part of the WIN system, it is a remote pass.
Cast (RPC) server. This is also the core of the WIN service system.
SCM is mainly responsible for the following:
· Maintain installation service database
· Start service and driver service when system startup or command
· Enumerate installation services and drivers
· Maintaining the status of service and driven
· Transmission control request to run service
· Lock and unlock the service database
SCM maintains the service database in the registry, located in: hkey_local_machine / system / currentcontrolset / service. The subkey under this
It is a installed service and driver service. The name of each subkey is the service name, specified by the CREATSERVICE function of the service security program when the installation is installed.
When the system is installed, the original database was created. This database contains device drivers when the system starts. Each service and driver in the database
Information includes:
·Service type. Service execution is your own or other service sharing, whether it is a core driver or a file system driver.
· Start type. The service or the drive service is automatically started when the system is started or whether it is started by the SCM to accept the control request. Start class
The type also indicates whether the service is prohibited.
· Error control level. Indicates if the service or drive service starts failed error handling.
· Execute the full path to the file.
· Additional dependency information determines the correct order of startup. For services, this information includes the specified service that SCM needs to start before the service is started.
The name of the load order group, the service is launched in the group. For driver services, this information includes a specified drive that needs to be started before the drive startup.
· For services, there are additional account names and passwords. If you do not specify an account, the service uses the localsystem account.
• For drivers, additional driver object names for I / 0 system loading device drivers. If there is no name, the I / O system creates on the basis of the driver service name.
Build a default name.
Second, the service control program
The Service Control Program (SCP) is a functional block for control a service application and a bridge between the service application with the Service Manager (SCM). Service control
The program can complete these actions:
· If the service launch type is Service_Demand_Start, the service control program will start the service · Send control request to the service running
· Current status of the service running
These actions require the handle of a service object.
· Service startup
To launch a service, the service control program uses the StartService function. If the database is locked, the StartService function will fail. If you encounter
In this case, the service control program needs to wait and recall the startService. You can query service data through QueryServiceLockStatus
The status of the library.
When the service control program starts a service, you can specify parameters passed to the service servicemain function via the startService function. Be created
After a new thread performs servicemain, StartService is returned. Service control program can query the query by the QueryServiceStatus function
The status of the service service. DWCurrentState should be service_start_pending in the service_status structure, and dwwaithint is one
Time interval for milliseconds, indicating that the service control program should wait for the QueryServiceStatus. When the initialization is completed, the service will change the status of the service.
DWCurrentState is Service_Running.
If the service is in 80 seconds, the service control manager determines that the service has stopped responding and recording the event.
Out of service.
If the program is starting the drive service, StartService will return after the device driver is complete.
· Service control request
The service control program sends a service that controls the request to be run through ControlService. This function specifies that the control value is passed to the designated service.
Handlerex function. This control value can be a user-defined code, or it can be the following basic control code:
· Stop service: Service_Control_Stop
· Pause Service: Service_Control_Pause
· Restore the suspended service: Service_Control_Continue
· Return to the service update status information: service_control_interrogate
Each service can specify the control value it receives and processes. To determine which basic control value is received by the service, you can use the QueryServiceStatus function or
Specify service_control_interrogate to call the ControlService function. DWControlsAccepted returned in the service_status structure
Is the service can be stopped, suspended, and recovered. All services can receive Service_Control_Interrogate.
The QueryServiceStatus function returns the most recent state of the specified service without obtaining the status of the service itself. use
Service_control_interrogate control to call the ControlService function to determine if the status is current information.
Third, the service application
The service application is a server's main program, which is an executable code for one or more services. This will explain in detail in the programming program.
Basic processes of III, service start and close
When the system is started, the SCM starts all automatic start-up services and services dependent on these services. If an automatic service is dependent on service
This service will also be started automatically (if you need to start) service. The loading order of the service is determined by the following:
Group of order
2. Deload order in a group
3. Services depend on each service
When the startup is complete, the system performs the start confirmation program (specified by the BootVerificationProgram value in the hkey_local_machine / system / currentControlSet / Control in the registry. By default, this value is not.). When the first user is logged in, the system will simply report.
Successful. You can separately provide a startup confirmation program to check system issues and report launch status to SCM, use the NotifyBootconfigStatus function.
When the system is successfully launched, the system is cloned to save a database backup as a Last-KNown-Good (LKG) configuration. If the currently used database
It causes the system to start failed, then you can use backups to recover. The backed up database is saved:
HKEY_LOCAL_MACHINE / System / ControlSetxxx / Services.
The XXX value is also saved:
HKEY_LOCAL_MACHINE / System / SELECT / LASTKNOWNGOD.
If the service_error_critical error is available when the service started automatically, the SCM will restart the machine and use the LKG configuration, if
The LKG configuration has been used, and the startup will fail.
The ErrorControl value of the service in the registry represents how the SCM handles the service error. If the value is service_error_ignore (0) or no specified, SCM
Only ignoring the error and continues the launch of the service, if serivce_ERROR_NORMAL (1), the error reason is recorded in the event log. If the error is controlled
Server_ERROR_SEVERE (2) or serivce_error_critical (3), the service is reported to start an error. SCM recording event log, and call functions
SCREVERTOLASTKNOWNGOOD, switch the system registration configuration to the LKG version and then call the NTSHUTDOWNSYSTEM to restart the system. If the system has already
Use the LKG version to restart directly.
The LKG version is generated: SCM is required to determine this LKG configuration after the system startup phase is launched. By default, a successful
Starting to include all services successfully started and a user's login. If the serivce_ERROR_SEVERE (2) in the boot service phase is available or
Server_ERROR_CRITICAL (3) Error, then this is the launch of failure. If the SCM successfully completed the launch of the service, when there is a user login,
Winlogon calls the NotifyBootConfigStatus function Send message to SCM. Start all services successfully and receive NotifyBootconfigstatus
Login information, SCM calls NTINITIALIZEREGISTRY to save the current startup configuration information.
The third party can replace Winlogon's confirmation with its own definition, which can be in the registry:
Program in KHLM / System / CurrentControlSet / Control / BootVerificationProgam is determined, you can join the system successfully started
Righteousness. Start verification programs By setting HKLM / Software / Microsoft / Windows NT / CurrentVersion / WinLogon / ReportBootok is 0
Winlogon calls to NotifyBootConfigStatus. In this way, after the SCM starts the service, wait for this verification program to call NotifyBootconfigStatus
The function notifies the login success, and then saves the LKG configuration.
The execution file of the SCM is: WINN / System32 / Service.exe, running in the console mode, the Winlogon process starts the SCM early in the system. Svcctrlmain is running next to the screen to blank, and runs before Winlogon load graphic identity and displays the login interface Gina.
SvcctrlMain first creates a synchronization event called Svcctrlevent_a3752DX in Nonsignaled initialization, and the command to accept the SCP
After the steps, the SCM sets this event to the SIGNALED state. SCP confirms the SCM through the OpenScManager function, this function passes
SVCCTRLEVENT_A3752DX To Signaled to prevent SCP from contacting SCM before SCM initialization is completed.
SVCCTRLMAIN then calls the sccreateServicedb function to establish a SCM service database. It first reads the registry:
HKLM / SYSTEM / CURRENTCONTROLSET / Control / ServiceGrouporder / list content lists the service group name and their startup order, then search
Cover the contents of HKLM / System / CurrentControlSet / Services, create an entry for each primary key in the service database. SCM itself belongs to
Services and device drivers, and labeled boot boots and system boot drivers, that is, all marked as boot drivers and system boot drivers will be
The SCM is loaded before starting, and the I / O Manager will load these boots before the user mode process is executed. SccReateServicedb reads the group key value of the service to determine
The service belongs and associated with the previously established group list. This function also queries services and groups via DependongRoup and DependonService functions.
Dependency.
When the service is started, the SCM may need to call the LSASS, and the SCM will wait for LSASS at the LSA_RPC_SERVICE_ACTIVE synchronization event at the end of its initialization.
Notification, Winlogon also launches the LSASS process, the initialization of LSASS and SCM is synchronized, but the initialization end order is uncertain. Svcctrlmain will call
ScgetBootsystemDriverstate is traversed by service database query boot boots and system-started devices, which is in the query object manager.
The name in the name domain directory / driver is determined to start successfully. When the device driver is successfully loaded, the I / O Manager inserts the drive object into the name domain.
If the driver is not loaded, the SCM queries its name in the driving list returned by the PNP_DeviceList function, and the svcctrlmain record does not start the drive name.
And as part of the current configuration file in the ScfailedDrivers list.
Before starting the self-starting service, the SCM creates a pipe for remote procedure to call PIPE / NTSVCS, and create a thread to listen to the SCP message, and then notify
Its initialization end event SVCCTRLEVENT_A3752DX. SCM is closed by registering a console application by RegesterServiceProcess and handles the event and
Register with Win32 subsystem to prepare for system shutdown.
SVCCTRLMAIN calls SCAUTOSTARVICE to start the self-started service, the algorithm is staged, and there is a service group in each stage.
When starting at a stage, ScautostartService tag all the services belonging to the group, then loop all flags, and detects if each service can be
Enough start. The detection content includes the dependencies of the service group. If there is a dependency, the group-dependent group must first complete the initialization, and at least in this group
A service has been successfully launched. If the server's dependent group is compared with the service, the SCM mark Circular Dependency error to the service. For a service (non-driver), it also returns the dependence of the test service, and whether the dependent service has started. Similarly, it will also mark
Circular Dependency error, does not start the service, if the service relies on this group of services, and has not been started, then the execution of this service
Jump.
After the dependency is passed, SCAUTOSTARTSERVICE needs to detect whether this service is part of the current boot configuration before the service is started. Such as safety
Pattern starts, listed in HKLM / System / CurrentControlSet / Control / SafeBoot, divided into minimum configuration and network support configuration to start service
And drive.
When you are determined to start the service, the SCM calls the SCStartService function. When SCSTARTSERVICE launches a Win32 service, the service registration will be read.
The imagePath of the primary key to determine the file running the service process, then check if the service type is Service_Win32_Share_Process, SCM to ensure the service process
Log in with the start-up service to log in, the registration key value of the service contains account information. At this time, SCM calls SCLogonandStartImage launch service
Cheng, if it is another account, use the lsass function to log in to the account. Call the LSALOGONUSER assignment service login type, LSASS under Registry Security
The password is found in _sc_
After the login is successful, if there is no load account information, the SCM calls the loadUserprofile function to load account information. Winsta0 must be opened for interactive services.
Then the service has not been launched, the SCLogonAndStartImage function will continue to start the service process. SCM uses CreateProcessasuser function to hang
Start the process, then create a named pipe to communicate with the service process: / pipe / net / netControlPipex (x is superimposed by each new pipe), SCM
Restore the service process and wait for the SCM pipeline through ResumeThread. In the registry:
The value of htlm / system / currentControlSet / Control / ServicePiPiPiPetimeout determines this waiting time, default is 30 seconds.
If the service is connected to the SCM connection, the SCM sends the start command to the service. If it is within the timeout, if the response start command, SCM will give up and start
Start the next service and record the error in the system log.
All services in the ScautostartServices cycle group until the service is started or the dependency error occurs. The loop is based on the dependence of the service
The order of the service arrangement. The SCM will cycle the service that is dependent. After the SCM ends all service groups, perform the services that are not listed in those lists, and finally
Does not belong to any group of services.
When the system starts to close, the Win32ExitWindowSex function sends a message to the system process CSRSS, calls the CSRSS closure routine. CSRSS traversed
Comrade Processs They are shut down. Before the next process, the CSRSS waits for exiting each system process other than the SCM, waiting time:
HKLM / .DEFAULT / ControlPanel / Desktop / WaitTokillaPptimeout, default for 20 seconds. When the CSRSS encounters the SCM process, it is notified that the SCM system is being closed and waits for the timeout specified for the SCM. When the system is initialized, the SCM registers its process ID to CSRSS via the RegisterServicesProcess function.
CSRSS recognizes SCM by using SCM's process ID. The timeout value of the SCM is:
HKLM / System / CurrentControlSet / Control / WaitTokillServentimeout, default for 20 seconds.
SCM's Close Processor Send Close Notification Notifications When you apply to close a notification, you need to turn off the notification. SCM SCSHUTDOWNALLSERVICES traversal
The SCM database finds those services that request to close the notification and send closing notifications while recording waiting delay. After sending the closing notification, the SCM waits for the service retreat waiting for the notification.
Out or waiting for timeout. If the service timeout does not exit, the SCM determines whether one or more services waiting to be exited have sent a message to the SCM, this message
It is to tell the SCM service to progress in the closing process. If at least one service has progressed, SCM is waiting once within the latency waiting range. SCM continues
Wait a loop until all service exits, or does not receive the progress information of the service within the wait delay.
When the SCM notifies the service relationship and wait for the service to exit, the CSRSS waits for SCM to exit. If the CSRSS waits for timeout, the SCM has not exited, and the CSRSS is
Continue to close the process, so when the system is closed, the service that is not successfully closed in the specified time is simply to be implemented with the SCM.
IV, service programming
The service program is an executable code for one or more services. Service_win32_oen_process type created service can only be an execution of a service
sequence. The service can be configured to perform an account relationship with the local, main domain, or trust domain. Service_win32_share_process type of service code can be packaged
With multiple services.
A service must contain main, servicemain, and control processing functions
· Main function
Service is usually a console program, the entry point is the main function, and the main function gets parameters from the ImagePath value served in the registry. When SCM begins
When the program is time, wait for the StartServiceCtrLDispatcher function to call. Rule is:
The service_win32_oen_process type service will call the StartServiceCtrldispatcher function from the main thread. Can serve
Fully initialize after startup.
· Service_win32_share_process type service, in the program, public initialization, can be in the StartServiceCtrldispatcher letter
Before the number call is initialized in the main thread, it takes less than 30 seconds. Otherwise, when the main thread calls StartServiceCtrldispatcher
Another thread must be created to complete the public initialization. You can do separate initialization of each service in the servicemain function.
The StartServiceCtrlDispatcher function gets a service_table_entry structure for each service in the process. Each structure designated service
The entry point of the name and service. If the startservicectrldispatcher function calls success, call the thread will not return until all the process of running services
termination. SCM controls the request of this thread by named pipe. This thread is like a reporter (scheduler), completes the following tasks:
· When the new service starts, create a new thread to call the appropriate entry
· Call the appropriate handle function to operate service control request
When the SCM starts a service process, the StartServiceCtrldispatcher function is called, which receives a list of service portals or a single
Single entrance of the service process, each entry point is identified by the service name of the entrance communication. After suggesting a naming pipe with SCM communication, this function is falling in
The ring is waiting for the SCM command from the pipe. SCM sends a service launch command when the service is started. And the StartServiceCtrldispatcher function is connected
A command to create a service thread to call the service's loop command. StartServiceCtrlDispatcher function is waiting
Since the command of the SCM, the service thread of all processes stops and allows the process to turn the resource when the resource is cleared, and the main function of the process will be controlled to the process.
Service serviceMain function
The ServiceMain function is the entry point of the service.
When the service control program requires a new service, the SCM launches the service and sends a start request to the scheduler. Scheduler creates a new thread
ServiceMain function for the line service. The servicemain function completes the following tasks:
· Turn the registerServiceCtrlHandleRex function to the handle control request of the registration service, the return value is the status handle of the service, you can
The state used to notify the SCM service.
· Complete initialization. If the initialization code is executed very short (less than 1 second), the initialization can be done directly in the servicemain function; if
The initialization time is longer than 1 second, then call the setServiceStatus function, specify the service_start_pending service in the service_status structure
Business status and waiting time. When the initialization continues, the service should call SetServiceStatus to report progress.
• When the initialization is completed, setServiceStatus is called, and the service status is used in the service_status structure to be service_running.
· Complete service tasks, or, if there is no unresolved task, return. All status changes, all call setServiceStatus to report.
· If an error occurs in the initialization or running of the service, the service should call setServiceStatus, specify the service_stop_pending state,
If the clearance process is relatively long. Once cleared, set SetServiceStatus from the last termination thread, specify the service_stopped status. Determine
Specify DWSERVICESPECIFICEXITCODE and DWWIN32Exitcode in the service_status structure to determine this error.
· Service control processing function
Each service has a control processing function: Handlerex function, it is controlled by the sender, when the service process accepts a control request,
This, this function is executed to control the security relationship of the sender. Whenever handlerex is called, the service must call the setServiceStatus letter
The number is reported to the SCM report service state, regardless of whether the status of the service is changed.
The service control program can send a control request using the ControlService function. All services must be accepted and handled
Service_control_interrogate control code. You can agree or prohibit acceptance of other controls by SetServiceStatus. Have to receive
The service_control_deviceEvent control code must call the RegisterDevicNotification function. Service can handle user-defined control
Code. Control processing must return within 30 seconds, otherwise the SCM will return an error. If the service needs to complete a long task, you should create a new thread to complete this long task and return. This prevents the service from being hindered by control.
When the user turns off the system, all control processing should call setServiceStatus Settings Service_Accept_ShutDown control code to receive
The service_control_shutdown control code, which will be notified in sequence in the order in the service database. By default, before the system is closed,
A service usually has about 20 seconds to complete the cleaning task. After the time is over, the system will turn off the process, regardless of whether the service is complete. caution,
If the system stays in the shutdown status (not Restarted and Powered Down), the service is still running.
If the service takes time to clear, it can send a stop_pending status message, along with one wait time, so that the service controller is reported
I know how long it should be long before the system service is turned off, no matter what, there is a service controller to wait for time, prevent service staying
SHUTDOWN status. To change this time limit, you can modify HKEY_LOCAL_MACHINE / System / CurrentControlSet / Control
WaitTokillServentimeOut value.
V, the security of the service
Many of the services have led to a secure special care: Most services running security levels are also logalsystem than the administrator's power;
A service presence is usually caused by system crash, rights improvement, etc., such as DDE service issues; service can run by the system before the account is logged in.
This is also the way you like. And many of the services provided by many itself is particularly loved: Telnet service, Task service, remote registry operation,
SNMP service, etc.
Security issues from the service come from these aspects:
1, the problem of the service application itself
This security problem is caused by the service programs itself, because most service run account is localsystem, therefore, these problems
It is usually possible to enhance the permissions. For example: the permissions of NetDDE services enhance the vulnerability; the permissions of Telnet services improve the vulnerability;
Removal overflow, allows the attacker to execute the command remotely with the System account permission.
Some services belong to network services, listen to a TCP port, such as Telnet service, can make remote vulnerabilities, but some services are just
Local service, you can't use it remotely, you need to have a local account, then increase the permissions.
2, service startup problem
In service management, there are three ways to start: automatic, manual and disable. The manual and prohibited start-up method will not start the service directly,
When needed, you need to manually start them. This is a very common understanding.
But there are some problems here. Manual and prohibition methods do not completely ban a service run. If you start according to both ways
These services will be automatically run automatically by an automatic service service. This can be obtained from the startup process of the SCM above. And the prohibition
The service can also be run manually.
The SC tool provides the ability to delete the service, which can completely disable the existence of a service, but it needs to be used with caution.
3, service account problem
Because the Localsystem account of the service makes the service have received a lot of care, so some security configurations describe the run permission to serve the service.
Reduce, use other accounts to run the service. When the service is installed, specify the username and password through the CREATSERVICE function. The account content can be changed via ChangeServiceConfig. You can also get the username of the service object through QueryServiceConfig.
When the service is started, SCM logs in with the service account. If the login is successful, the system will generate an access token to give the service process. The token will be with
Later, the object interaction is interacted. For example, a service is trying to open the pipe handle, the system is compared the service token and the security descriptor of the pipeline.
The items in the registry contain a key ObjectName, which specifies the service run account. If you use other accounts to run
Service, then in the registry: hkey_local_machine / security / policy / secrets / _sc_ (service name) will be guaranteed
Save the password hash of the account, which is exactly the same as the password hashing of the account itself. The things you can do here are more. SCM will not maintain the service
The password of the user account, when the system changes the password, does not inform the SCM to change the password. If the password expires, or the password changes, the login failed,
Service startup fails.
4, service management problem
Since the service is very important in the application, many administrators have also difficult to determine which services are needed
Which services can be turned off and disabled, from the brief introduction of the service, it is difficult to discriminate what work actually do. And now there is no one
An outgoing service management introduction, if an error is turned off, it may cause a stop of a system a feature.
Because the service management is not so easy, so it is convenient for some Trojans to make a service form to confuse victims.
VI, service management
It is difficult to determine their true use from the description of the service. For example, Storage Groveler Services is described as: "Scans Single Instance
Storage (SIS) Volumes for Duplicate Files, And Points Duplicates Files To One Data Storage Point,
"Conserving Disk Space" What it did not mention, but only by the language remote installation service (RIS), if you don't need to install it, you
There is no need for this service.
To determine what this service is true, try this:
* Check for more description details in Microsoft TechNet's Windows 2000 SERVICES
(
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.asp)
* Check the file description, by right-click the file and select the version
* Check the dependency of the service
* Check the port of the service open
· How do I know the file used by a service?
Understand a service, you need to understand the files used in this service. Typically, you can decide whether this service is needed by viewing the file it run.
This batch file can come to view the file properties, which uses the Windows Resource Kit tool: reg.exe and dependends.exe:
@set imagePath =
@For / f "tokens = 3" %% a in ('REG Query HKLM / SYSTEM / CURRENTCONTROLSET / SERVICES /% 1
/ v ImagePath 2 ^> NUL ^ | Find "ImagePath" ') Do @set imagePath = %% a @ if defined imagepath (@echo dependencies for% imagePath%:
@Call Depends / A0f1c /oc:~svcdep.tmp "% imagePath%"
@For / f "tokens = 1 delims =, Skip = 1" %% B in ('type ~ svcdep.tmp ^ | FindSTR / B / C: "," ^ |
FindSTR / V / C: "?" ^ | sort ') do @echo %% B
@del ~ svcdep.tmp 2> NUL
) Else (@echo '% 1' is not installed or is not a valid service
)
Save the above content as svcdep.bat, then use the service name (short name) as a parameter start, such as view Replication services, enter
Svcdep.bat NTFRS:
can be seen:
Dependencies for% systemroot% / system32 / ntfrs.exe:
"c: /winnt/system32/dbghelp.dll"
"c: /winnt/system32/dnsapi.dll"
"c: /winnt/system32/est.dll"
"c: /winnt/system32/gdi32.dll"
"c: /winnt/system32/kernel32.dll"
"c: /winnt/system32/msvcrt.dll"
"c: /winnt/system32/netapi32.dll"
"c: /winnt/system32/netrap.dll"
"c: /winnt/system32/NTDLL.DLL"
"c: /winnt/system32/NTDSAPI.DLL"
"c: /winnt/system32/NTFRS.EXE"
"c: /winnt/system32/rpcrt4.dll"
"c: /winnt/system32/samlib.dll"
"c: /winnt/system32/secur32.dll"
"c: /winnt/system32/User32.dll"
"c: /winnt/system32/wldap32.dll"
"c: /winnt/system32/ws2_32.dll"
"c: /winnt/system32/ws2help.dll"
"c: /winnt/system32/wsock32.dll"
It can be seen from which it uses DNS (DNSAPI.DLL), Winsock (ws * .dll), and Remote Procedure Call (rpcrt4.dll) library, this
Not only let you know what the service will do, but also let you know what it needs.
Nowadays, many softwares, especially security software, began to register into services. For example, Norton will write a lot of services, except
That is to understand the actual work of the service, it is also very important to maintain a list of services. Regularly check the service list, what is the change in the control?
It is a good idea. SC is a good tool, there is also a similar program (including source code) on my home page www.opengram.com. want
Know the specific management of the service, you can go to the Microsoft website to see, you can go here:
Http://www.plasma-online.de/index.html?content=http://www.plasma-online.de/english/HELP/
Solutions / NT4_SERVICES.HTML
It is not impossible to use this service without a service. For example, for Telnet service, I used to write the tool Opentelnet even
Open it when the service is prohibited. To completely ban the service, it is best to delete it directly, or replace the service application.
VII, end
Although there are so many, in fact, control services are basically required. Therefore, manage your own administrator is safe for service safety.
Important.
(Finally completed the length of this entrained copy, translation, and leisurely lengthy eight shares, shit.)
REFERENCE:
1. MSDN
2.
3.
4. "NT Service Checks"
http://www.nextgenss.com/typhon/reports/10.1.1.2/ntsvc.html
5. "INSIDE WIN32 SERVICES"
http://www.winnetmag.com/articles/index.cfm?articleid=8943&pg=1
6. "How to write a windows nt service"
http://www.muukka.net/programming/service.html
7. "Windows NT SERVICES"
http://www.mailbag.com/Users/pengel/index.html
8. "Securing Microsoft Services"
http://online.securityfocus.com/infocus/1581
