Sc.exe is a helpful command-line tool to view, modify, and control services. Located in %Windir%\System32, Sc.exe can work on local and remote services, return the results for one service, or extract information on all active services. It is often used to stop and start services, but it can do so much more than that. Here is an example of Sc.exe's output when typed alone to get the syntax:
C:\ >sc DESCRIPTION: SC is a command line program used for communicating with the NT Service Controller and services. USAGE: sc <server> [command] [service name] <option1> <option2>... The option <server> has the form "\\ServerName" Further help on commands can be obtained by typing: "sc [command]" Commands: query-----------Queries the status for a service, or enumerates the status for types of services. queryex---------Queries the extended status for a service, or enumerates the status for types of services. start-----------Starts a service. pause-----------Sends a PAUSE control request to a service. interrogate-----Sends an INTERROGATE control request to a service. continue--------Sends a CONTINUE control request to a service. stop------------Sends a STOP request to a service. config----------Changes the configuration of a service (persistant). description-----Changes the description of a service. failure---------Changes the actions taken by a service upon failure. qc--------------Queries the configuration information for a service. qdescription----Queries the description for a service. qfailure--------Queries the actions taken by a service upon failure. delete----------Deletes a service (from the registry). create----------Creates a service. (adds it to the registry). control---------Sends a control to a service. sdshow----------Displays a service's security descriptor. sdset-----------Sets a service's security descriptor. GetDisplayName--Gets the DisplayName for a service. GetKeyName------Gets the ServiceKeyName for a service. EnumDepend------Enumerates Service Dependencies. The following commands don't require a service name: sc <server> <command> <option> boot------------(ok | bad) Indicates whether the last boot should be saved as the last-known-good boot configuration Lock------------Locks the Service Database QueryLock-------Queries the LockStatus for the SCManager Database
For example, I can type SC \\10.1.1.20 queryex to query all services. Here's a sample of that output from one service (although the command extracts similar data on all active services):
SERVICE_NAME: RpcSs DISPLAY_NAME: Remote Procedure Call (RPC) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 1676 FLAGS :
This indicates the state (i.e., Running), Service Name, Display Name, PID, whether or not a user or admin can stop or pause it, and other valuable information of interest to programs.
SC qc Rpcss can be typed to get information on the RPC service, resulting in output similar to this:
[SC] GetServiceConfig SUCCESS SERVICE_NAME: rpcss TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss LOAD_ORDER_GROUP : COM Infrastructure TAG : 0 DISPLAY_NAME : Remote Procedure Call (RPC) DEPENDENCIES : SERVICE_START_NAME : NT Authority\NetworkService
This time, it returns the Service Name, Display Name, Service Account, Dependencies, Startup Type, and Execution Path and command-line switches. SC is useful in a variety of situations.
Like Svchost.exe, RPC services need a bit more explaining. Many services are considered RPC services. An RPC service or program loads itself at a (usually) randomly selected TCP/IP port above 1023. The RPC Endpoint Mapper program running on port 135 gets requests from RPC programs, assigns an available port to the requesting service or program for the duration of the session, and records the assignment. When a remote computer wants to talk to an RPC service, it first contacts the RPC Endpoint Mapper on port 135, queries the mapper to find out where the service it is looking for is located, gets its answer, and then connects to the other service.
You can use a variety of tools to enumerate the RPC services as well, including SecurityFriday's RPCScan (www.securityfriday.com/tools/RpcScan.html), Bindview's RPCTools (www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm), and Microsoft's RPCDump (www.microsoft.com/windows2000/techinfo/reskit/tools/existing/rpcdump-o.asp). Unfortunately, none of the tools work with XP Pro Service 2 or Windows Server 2003 Service Pack 1.
RPC Services are mentioned in this chapter to explain the appearance of many TCP and UDP ports just above 1023 on most Windows machines. Windows starts the RPC services, and the ports can be viewed using Netstat -an. For example, if you use Outlook to connect to Microsoft Exchange, they use RPC connections to communicate. Many administrators mistakenly believe that Outlook uses SMTP or POP3 protocols to talk to Exchange. Instead, whenever Exchange needs to talk to Outlook (e.g., maybe to report on a newly arrived message), Exchange contacts the Endpoint Mapper, obtains Outlook's RPC port, and then directly connects to Outlook.