Windows Services Running Under Local Administrator account

I’m curious if anyone has already done this or not, but I really can not seem to figure out how to retrieve the local user accounts SID.
This doesn’t work as it just lists out the user accounts domain\username.

q: (sid of it, name of it) of local users

If I could retrieve the SID string of characters I could figure out the local Built-In administrator account from this format:

SID: S-1-5-21domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system."
Security identifiers | Microsoft Learn

I would then shoot to use that result in something like this:

q: display names of services whose (login account of it contains "local")
A: Application Experience.... etc

Thanks in advance.
Luke

I was able to get the username by sid successfully with this thanks to another fixlet I found:

q: sid of (local users; local groups) whose ((exist matches (regex "^S-1-5-[0-9-]+500$") of component string of sid of it))
A: computer1\localadministrator
T: 14.098 ms

However my original plan is awful long running and doesn’t work.

Creation of service:

C:>sc create WorstIdeaEver binPath= “c:\badidea.exe” obj= “.\localadministrator” password= password
[SC] CreateService SUCCESS

Check for service based on SID, expecting what I created a moment ago.

q: display names of services whose (login account of it as lowercase = (sid of (local users; local groups) whose ((exist matches (regex "^S-1-5-[0-9-]+500$") of component string of sid of it))) as string)
T: 2756.680 ms

Delete service and recreate it with computername\adminname just to see what happens.

C:>sc delete WorstIdeaEver
[SC] DeleteService SUCCESS

C:>sc create WorstIdeaEver binPath= “c:\badidea.exe” obj= “computer1\localadministrator” password= password
[SC] CreateService SUCCESS

Check for service with “computername\adminname” name format.

q: display names of services whose (login account of it as lowercase = "computer1\localadministrator")
T: 55.436 ms

Possibly indicating that the .\ is the name format needed for the local domain of the computer.

q: display names of services whose (login account of it as lowercase = ".\localadministrator")
A: WorstIdeaEver
T: 70.122 ms

Checking with “computername\adminname” even though I’m pretty sure it wont work.

q: display names of services whose (login account of it as lowercase = (sid of (local users; local groups) whose ((exist matches (regex "^S-1-5-[0-9-]+500$") of component string of sid of it))) as string)
T: 2684.986 ms

I’m making progress this, not sure if I’ll come to a resolution on my own as I don’t think I am entirely familiar with string functions and modifiers in relevance at this time.

Luke

I’m not exactly sure what you are looking for, but does this help?

Q: ("\" & it) of following text of first "\" of "computer1\localadministrator"
A: \localadministrator

display names of services whose (login account of it as lowercase ends with ( (it as lowercase) of ("\" & it) of following text of first "\" of "computer1\localadministrator" ) )

That does help. I wanted to return a Boolean or a service name list of services running the windows built in administrator account credential. Using this below does just that regardless of what the administrator account has been renamed to.

display names of services whose (login account of it as lowercase ends with ((it as lowercase) of ("\" & it) of following text of first "\" of (sid of (local users; local groups) whose ((exist matches (regex "^S-1-5-[0-9-]+500$") of component string of sid of it)) as string)))

Thanks jgstew.

1 Like

You are welcome. I enjoy manipulating strings into being useful.


Look here for relevance examples: http://bigfix.me/