Hi


Motivation

The security issue is older and known (Win NT,Win 2000, Win XP,
Win XP SP1, ~SP2), but anyway, my motivation is two-fold:

First, I wanted to look a bit closer how to deal with the registry
using c/c++, because of this thread[1]. I wanted to apply this in
some security context:


Interactive Services[2].

Typically, services are console applications that are designed
to run unattended without a graphical user interface. However,
some services may require occasional interaction with a user.
This does lead to security implications, eg.[3] (Note: that one is
older).


Current State

There are ways to restrict interactive services[4] on Windows 2000/XP
systems. In addition, SP2 partly rewrote services not to be interactive
anymore[5].


A simple (remote) scanner

This might not be the most clever way to scan for interactive services
(I could think of an "active" approach, like "Is the task scheduler there?",
or more general an, let us call it here, "IPC fingerprinting"), but I
wanted to apply some registry scans with something "useful".

All we need to know is given here[6].

The idea is simple: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services,
I check all the "[Service]Type" REG_DWORDs assigned to a service. If they
match the SERVICE_INTERACTIVE_PROCESS criterion, I print it out.
In addition, I check the "StartType" value in order to determine whether the
service is configured to be started automatically or not.


Code:
#include <windows.h>
#include <stdio.h>

int main() {
	HKEY  phkResult;		// address of buffer for main key (Services)
	HKEY  psubkey;			// address of buffer for sub keys (under Services)
	DWORD subkey_Index;		// index of the subkey
	char Name[1024];		// buffer for subkey name
	DWORD cbName = sizeof(Name);	// size of subkey buffer
    	FILETIME ftLastWriteTime;	// address for time key last written to


    	DWORD Type;			// ServiceType
    	DWORD cbType = sizeof Type;	// size of Type

	char DisplayName[1024];		// DisplayName
	DWORD Start;			// StartType

	char StartType[5][1024]={{"SERVICE_BOOT_START"},{"SERVICE_SYSTEM_START"}, 
		{"SERVICE_AUTO_START"},{"SERVICE_DEMAND_START"},{"SERVICE_DISABLED"}};

// connect to local registry at key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

	if( RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services",0,KEY_ENUMERATE_SUB_KEYS,&phkResult) 
		!= ERROR_SUCCESS) return 1;	// return if not successfull.


// enumerate all subkeys, which correspond to all available services

   subkey_Index=0;
   while(1==1){

// check for existing subkeys
        if( RegEnumKeyEx(phkResult, subkey_Index, Name, &cbName, 0, NULL, NULL, &ftLastWriteTime) != ERROR_SUCCESS) break;
			cbName = sizeof(Name);			 // reset size of Name			
// if there are still some, create a connection to the next subkey
        if( RegOpenKeyEx(phkResult, Name, 0, KEY_QUERY_VALUE, &psubkey)!= ERROR_SUCCESS) break;


// get the "Type" value: if SERVICE_INTERACTIVE_PROCESS is set, we have found an interactive service 
		
        if( RegQueryValueEx(psubkey, "Type", 0, NULL, (BYTE*)&Type, &cbType) == ERROR_SUCCESS)
           if (Type && SERVICE_INTERACTIVE_PROCESS) {
		// gather information about this service

		if (RegQueryValueEx(psubkey, "DisplayName", 0, NULL, (BYTE*)DisplayName, &cbName)!= ERROR_SUCCESS) break;
		if (RegQueryValueEx(psubkey, "Start", 0, NULL, (BYTE*)&Start, &cbType)!= ERROR_SUCCESS) break;
 					
		printf("%s\t%s\n",StartType[Start],DisplayName);
	}
			
	
	if( RegCloseKey(psubkey)!= ERROR_SUCCESS) return 1;	// return if not successfully disconnected
     
		subkey_Index++;
	} // while enumeration: break set within loop


// disconnect from local registry
	
   if( RegCloseKey(phkResult)!= ERROR_SUCCESS) return 1;	// return if not successfully disconnected
   return 0;
}
First remark: I added a small script kiddie protection to the code.
Second remark: I have also a version of a remote scanner, which works
if, if and if

PM me, if you would like to have a compiled version and/or the remote
scanner.

Typical output:
Code:
SERVICE_DISABLED	NetMeeting Remote Desktop Sharing
SERVICE_DEMAND_START	Windows Installer
SERVICE_DEMAND_START	Network Connections
SERVICE_DEMAND_START	Protected Storage
SERVICE_DISABLED	Task Scheduler
SERVICE_DISABLED	Secondary Logon
SERVICE_AUTO_START	SmartLinkService
SERVICE_AUTO_START	Print Spooler
Some questions

How relevant do you think are security issues related to interactive
services (..., Task scheduler, ...) on different platforms?
Do you know scanners, which are based on different methods than the one
I presented?
Do you think this particular scanner presented here has any use?


Cheers



[1] http://www.antionline.com/showthread...&postid=827016
[2] http://msdn.microsoft.com/library/de...e_services.asp
[3] http://msdn.microsoft.com/library/de...re08192002.asp
[4] http://www.winguides.com/registry/display.php/1132
[5] http://www.microsoft.com/technet/pro.../sp2maint.mspx
[6] http://msdn.microsoft.com/library/de...cification.asp