Hello,
I’ve been trying for days to develop a relevance that will show me if any windows service users XY and XYZ have write access, has anyone done any tests or successfully executed something identical?
Sorry for the translator, I don’t speak English.
Thanks
Do you mean to check whether a user account has write permission to modify a service entry? Write permissions to the registry key "HKLM\SYSTEM\CurrentControlSet\Services\[servicename]" ?
Hi Jason,
Thanks for the feedback,
You need to check if the folder or file where the service is running has users xy and xyz written.
Example C:\Rafae\Rafael.exe
if XY has permission to write to the folder or Service the condition would be true.
This is…a very complex problem.
The first issue is even finding the path to the service executable. Here are just a few sample entries from my system.
q: (service name of it, image path of it) of services
A: AJRouter, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
A: AppVClient, C:\Windows\system32\AppVClient.exe
A: BalloonService, "C:\Program Files\Virtio-Win\Balloon\blnsvr.exe"
A: BESRootServer, "C:\BES\Server\BESRootServer.exe"
A: edgeupdate, "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
These ‘image path’ values have several formats:
For each of these, we need to find the real path to the file. Here we could use a large ‘if-then-else’ statement, but instead I will use the pipe operator |. If the term on the left produces an error, the term on the right is substituted. I will start with a regular expression match, if the ‘image path’ starts with doublequotes this matches everything up to the first closing doublequote. If there is no match (the image path is not quoted), this produces an error so I use the pipe operator to substitute the ‘image path’ value up to the first space. If there is no space in the image path, that also produces an error and finally I use the pipe operator again to substitute the whole image path value (which is not quoted and does not contain spaces) :
q: (service name of it, (parenthesized part 1 of match(regex("^%22([^%22]+)%22")) of image path of it | preceding text of first " " of image path of it | image path of it)) of services
A: AJRouter, C:\Windows\system32\svchost.exe
A: AppVClient, C:\Windows\system32\AppVClient.exe
A: BalloonService, C:\Program Files\Virtio-Win\Balloon\blnsvr.exe
A: BESRootServer, C:\BES\Server\BESRootServer.exe
A: edgeupdate, C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
Now, we can reference those files using these paths. Be sure to use the ‘native file’ inspector, not the ‘file’ inspector, which might be confused by 32-bit redirection:
q: pathnames of native files ( ((parenthesized part 1 of match(regex("^%22([^%22]+)%22")) of image path of it | preceding text of first " " of image path of it | image path of it)) of services)
A: C:\Windows\system32\svchost.exe
A: C:\Windows\system32\AppVClient.exe
A: C:\Program Files\Virtio-Win\Balloon\blnsvr.exe
…
Now that we can get a reference to the service files, the second problem is determining the permissions on those files. Finding whether a given user has write permission to the file means examining the file’s permissions, finding the user and group permissions entries, and then retrieving the group memberships (including nested groups) for the user.
BigFix provides an ‘effective write permission’ inspector, but I ask you do not use effective write permission. Ever. In any case. The ‘effective write permission’ inspector does what Windows Explorer would do, when you right-click a file and retrieve the effective permissions. It loadds the permissions on the file, then expands every group with permissions and determines those groups’ memberships, including nested Domain Group members. This triggers heavy traffic load to your network’s Domain Controllers when every client is using this inspector. We have seen the ‘effective permissions’ inspectors break customers’ Domain Controllers, and have removed it from our out-of-box content, but I still see problem reports from this inspector in custom content.
Instead of looking for your ‘bad’ entries, look for the file dacls that exist, and then filter out the ones you expect.
To check one file, we could use
q: (trustee of it) of entries whose (write permission of it) of dacls of security descriptors of files "c:\temp\test.txt"
A: NT AUTHORITY\SYSTEM
A: BUILTIN\Administrators
Now we just need to build a list of accounts we expect to have write permission, and filter those out from the result.
q: trustees whose (it as string is not contained by set of (“NT AUTHORITY\SYSTEM”; “BUILTIN\Administrators”))of entries whose (write permission of it) of dacls of security descriptors of files “c:\temp\test.txt”
Applying that to our ‘service’ query we can try
q: (pathname of it, trustees whose (it as string is not contained by set of ("NT AUTHORITY\SYSTEM"; "BUILTIN\Administrators"))of entries whose (write permission of it) of dacls of security descriptors of it) of native files ( ((parenthesized part 1 of match(regex("^%22([^%22]+)%22")) of image path of it | preceding text of first " " of image path of it | image path of it)) of services)
A: C:\Windows\system32\svchost.exe, NT SERVICE\TrustedInstaller
A: C:\Windows\System32\alg.exe, NT SERVICE\TrustedInstaller
On my system, the only other account that had services permissions was “NT SERVICE\TrustedInstaller”. When I add that to my filter, I get an empty result. If you have some customized service permissions you may need a few more entries in your filter:
q: (pathname of it, trustees whose (it as string is not contained by set of ("NT AUTHORITY\SYSTEM"; "BUILTIN\Administrators"; "NT SERVICE\TrustedInstaller"))of entries whose (write permission of it) of dacls of security descriptors of it) of native files ( ((parenthesized part 1 of match(regex("^%22([^%22]+)%22")) of image path of it | preceding text of first " " of image path of it | image path of it)) of services)
T: 138.269 ms
Jason,
You are amazing ! the last step worked perfectly for what I need. we just add one exists.
Thank you very much