Archive

Archive for the ‘Debugging’ Category

Windows: service management with sc.exe

January 23, 2011 Leave a comment

In a previous post, I listed the net start and net stop commands for managing services.  The main drawback to these is that while they are on every Windows System, they only work on local services.

I’m all for utilities that reduce the amount of time it takes to get work done more efficiently (That’s one of the reasons I’m so fond of the CLI) and to that end, this post is about the Service Control (sc) utility that allows one to query & control services on remote servers, thus avoiding the need to RDP onto multiple servers and manage local services.

If you want to know which services are currently running on a remote server; DC1.your.domain.com for example, running the following command will output a long list of services and their status:

C:\>sc \\DC1.your.domain.com query

If you want more information on a specific service, such as a Windows DNS Server sc makes it easy to gather the required data.  To start with you can get the services display name:

C:\>sc \\DC1.your.domain.com GetDisplayName dns
[SC] GetServiceDisplayName SUCCESS  Name = DNS Server

You can also get the services description like so:

C:\>sc \\DC1.your.domain.com qdescription dns
[SC] GetServiceConfig SUCCESS 
SERVICE_NAME: dns        
    DESCRIPTION              : Enables DNS clients to resolve DNS names by
answering DNS queries and dynamic DNS update requests. If this service is
stopped, DNS updates will not occur. If this service is disabled, any
services that explicitly depend on it will fail to start.

You can quickly list the service configuration too:

C:\>sc \\DC1.your.domain.com qc dns
[SC] GetServiceConfig SUCCESS 
SERVICE_NAME       : dns        
TYPE               : 10  
WIN32_OWN_PROCESS        
START_TYPE         : 2   AUTO_START        
ERROR_CONTROL      : 1   NORMAL        
BINARY_PATH_NAME   : C:\WINDOWS\System32\dns.exe        
LOAD_ORDER_GROUP   :        
TAG                : 0        
DISPLAY_NAME       : DNS Server        
DEPENDENCIES       : Tcpip                          
                   : Afd                          
                   : RpcSs        
SERVICE_START_NAME : LocalSystem

NB: If you want extended information you can use the queryex parameter.

Then you can check the status of the service:

C:\>sc \\DC1.your.domain.com query dns 
SERVICE_NAME: dns        
TYPE               : 10  
WIN32_OWN_PROCESS        
STATE              : 4  RUNNING                                
                        (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)        
WIN32_EXIT_CODE    : 0  (0x0)        
SERVICE_EXIT_CODE  : 0  (0x0)        
CHECKPOINT         : 0x0        
WAIT_HINT          : 0x0

Finally once you’ve gathered all the information you need, you can stop & start the service if you need to:

C:\>sc \\DC1.your.domain.com stop dns
SERVICE_NAME: dns        
    TYPE               : 10  WIN32_OWN_PROCESS        
    STATE              : 3  STOP_PENDING                                
                            (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x1        
    WAIT_HINT          : 0x5265c00
C:\>sc \\DC1.your.domain.com query dns
SERVICE_NAME: dns        
    TYPE               : 10  WIN32_OWN_PROCESS        
    STATE              : 1  STOPPED        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x0
C:\>sc \\DC1.your.domain.com start dns
SERVICE_NAME: dns        
    TYPE               : 10  
    WIN32_OWN_PROCESS        
    STATE              : 2  START_PENDING                                
                            (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x7d0        
    PID                : 608        
    FLAGS              :
C:\>sc \\DC1.your.domain.com query dns
SERVICE_NAME: dns        
    TYPE               : 10  
    WIN32_OWN_PROCESS        
    STATE              : 4  RUNNING                                
                            (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)        
    WIN32_EXIT_CODE    : 0  (0x0)        
    SERVICE_EXIT_CODE  : 0  (0x0)        
    CHECKPOINT         : 0x0        
    WAIT_HINT          : 0x0

A list of sc parameters is as follows:

C:\>sc
DESCRIPTION:        
    SC is a command line program used for communicating with the        
    NT Service Controller and services.
USAGE:        
    sc <server> [command] [service name] <option1> <option2>...         

    The option <server> has the form "\\ServerName"        
    Further help on commands can be obtained by typing: "sc [command]"        
    Commands:          
        query-----------Queries the status for a service, or                          
        enumerates the status for types of services.          
        queryex---------Queries the extended status for a service, or                          
                        enumerates the status for types of services.          
        start-----------Starts a service.          
        pause-----------Sends a PAUSE control request to a service.          
        interrogate-----Sends an INTERROGATE control request to a service.          
        continue--------Sends a CONTINUE control request to a service.          
        stop------------Sends a STOP request to a service.          
        config----------Changes the configuration of a service (persistant).          
        description-----Changes the description of a service.          
        failure---------Changes the actions taken by a service upon failure.          
        sidtype---------Changes the service SID type of a service.          
        qc--------------Queries the configuration information for a service.          
        qdescription----Queries the description for a service.          
        qfailure--------Queries the actions taken by a service upon failure.          
        qsidtype--------Queries the service SID type of a service.          
        delete----------Deletes a service (from the registry).          
        create----------Creates a service. (adds it to the registry).          
        control---------Sends a control to a service.          
        sdshow----------Displays a service's security descriptor.          
        sdset-----------Sets a service's security descriptor.          
        showsid---------Displays the service SID string corresponding to an
                        arbitrary name.          
        GetDisplayName--Gets the DisplayName for a service.          
        GetKeyName------Gets the ServiceKeyName for a service.          
        EnumDepend------Enumerates Service Dependencies.         

    The following commands don't require a service name:        
    sc <server> <command> <option>          
        boot------------(ok | bad) Indicates whether the last boot should                          
        be saved as the last-known-good boot configuration          
        Lock------------Locks the Service Database          
        QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:        
    sc start MyService 
Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]: n
Advertisements

Windows: Internals – Visibility into processes

January 18, 2011 Leave a comment

Any Windows Administrator worth their salt will eventually have a requirement to use Microsofts Debugging Tools for Windows (Unless their employers don’t mind them squashing & redeploying machines in the event of a BSOD/ASR).

A quick search on your favourite search engine or the Microsoft site for Debugging Tools for Windows will provide you with a link to the debugging tools download page where you can select current or previous versions depending on the platform you’re troubleshooting.

I have often needed to examine certain processes while performing analysis of resource issues.  I’ll cover quite a few utilities that I use for this in the future, but this post will be dedicated to the Task List Viewer utility: TList.exe.

TList is a CLI utility (I much prefer working in the CLI rather than the GUI) that can be used to gather information about processes running on a computer.

The following TList option displays a process tree that shows processes as the children of the process that created them.

c:\>tlist /t
System Process (0)
System (4)  
  smss.exe (404)    
    csrss.exe (452)    
    winlogon.exe (476) NetDDE Agent      
      services.exe (520)        
        svchost.exe (700)        
        svchost.exe (724)        
        svchost.exe (864)        
        svchost.exe (888)        
        spoolsv.exe (996)        
        scardsvr.exe (1040)        
        alg.exe (1172)        
        tievxx.exe (1200) ATI video bios poller        
        InoRpc.exe (1248)        
        InoRT.exe (1264)        
        InoTask.exe (1308)        
        mdm.exe (1392)        
        dllhost.exe (2780)      
  lsass.exe (532)      
  rundll32.exe (500)
explorer.exe (328) Program Manager  
  WLANMON.exe (1728) TI Wireless LAN Monitor  
  ISATRAY.EXE (1712) IsaTray
  cmmon32.exe (456)  
  WINWORD.EXE (844) Tlist.doc - Microsoft Word
  explore.exe (2096) Platform SDK - CreateThread

TList can search for processes by name, PID or even patterns if you’re not sure of the process name.  It can also provide a wealth of information about processes such as which DLL or which module was loaded by which processes.

A full listing of TList command line switches can be found here.

NB: It should be noted that processes are not programs.  In Windows Internals 4th edition Mark Russinovich & David Solomon (men who know!) state that a process is a container for a set of resources, specifically:

  • Private virtual address space,
  • An executable program,
  • A list of open handles to system resources,
  • An access token and
  • A process ID.