A Windows service is a particular process that runs in a separate session (session ≠ logon session) and without user interaction. Services runs in session 0.

Interaction that is usually started automatically when the computer boots. Services are used to start and manage core Windows functionality such as Windows Defender, Windows Firewall, Windows Update and more.

Third party applications may also install a Windows Service to manage how and when they're run.

You can see the services installed on a machine by:

• opening services.msc

  

• via the sc command line tool

  

• via Get-Service powershell command

  

• via wmic

  wmic service get name,pathname,state,startname
  

  

Properties of services

A service has several properties that we may want to pay attention to:

• BinaryPath: This is the path where the actual executable (.exe) for the service is located. Windows services are often in C:\\Windows\\system32 and third party in C:\\Program Files or C:\\Program Files (x86)
• Startup Type: this dictates when the service should start.
  • Automatic: The service starts immediately on boot.
  • Automatic (Delayed Start): The service waits a short amount of time after boot before starting (mostly a legacy option to help the desktop load faster).
  • Manual: The service will only start when specifically asked.
  • Disabled: The service is disabled and won't run.
• Service Status: this is the current status of the service
  • Running: The service is running.
  • Stopped: The service is not running.
  • StartPending: The service has been asked to start and is executing its startup procedure.
  • StopPending: The service has been asked to stop and is executing its shutdown procedure.
• Log On As: the user account that the service is configured to run as This could be a domain or local account. It's very common for these services to be run as highly-privileged accounts, even domain admins, or as local system. This is why services can be an attractive target for both local and domain privilege escalation.
• Dependents & Dependencies: these are services that either the current service is dependent on to run, or other services that are dependent on this service to run. This information is mainly important to understand the potential impact of manipulation. Like files and folders also the services themselves (not just the .exe) have permissions assigned to them. This controls which users can modify, start or stop the service. Some highly sensitive services such as Windows Defender cannot be stopped, even by administrators. Other services may have much weaker permissions that allow standard users to modify them for privilege escalation. After a service has been manipulated to trigger a privilege escalation, it needs to be restarted (or started if it's already stopped). There will be cases where this can be done with the management tools, if you have the required permissions. Other times, you'll need to rely on a reboot.