Launching process from service under system account

Question

I am having an issue launching a process from the system account. I just want to make it clear that I am not trying to run it under an interactive session, nor trying to impersonate any account. All I am trying to do is launch a process from the system account into the same session. The session in which the NTAUTHORITY\SYSTEM resides is 0 I believe.

I created a simple Windows Service that basically just uses Process.start to launch the executable. The Service is a system service.

I installed the service using SC as such:

sc create "MYSERVICE" binpath= "C:\Projects\MyService\MyService.exe" displayname= "My Awesome Service"

When I try to manually start the service I get a prompt that says "The ServiceName service on local computers started and then stopped. Some services stop Automatically if they are not in use by other services or programs."

Along with this the executable is never actually started. When monitoring it in processhacker I can see that the service does start, but the executable it attempts doesn't. Can anyone help me figure out why?

As I stated earlier my service is very basic, all it does is try and launch the executable when started:

  protected override void OnStart(string[] args)
    {
        Process.Start("svrexec.exe");
    }

    protected override void OnStop()
    {
    }

Do either of the answers to [this question](http://stackoverflow.com/q/6271252/2065121) help? — Roger Rowland, Oct 15 '13 at 06:26

score 0 · Accepted Answer · answered Oct 15 '13 at 06:54

0

Did you specify full path to your executable? The working folder for the system user is %windir%\System32.

Try Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "svrexec.exe"), or set Environment.CurrentDirectory = AppDomain.CurrentDomain.BaseDirectory

answered Oct 15 '13 at 06:54

EventHorizon

2,916
22
30

Thanks for the reply. No I didn't bother specifying one because the executable is actually in the system32 folder. I just tried pointing directly to it with no good results. The file is a system file and I am wondering if windows has their own little rootkit like setup going on to prevent users from touching them. When I try to execute it from a normal user account directly from the explorer, I get an error saying the file is not found. – user1632018 Oct 15 '13 at 16:11

score 0 · Answer 2 · answered Dec 10 '13 at 16:40

0

Are you 100% sure it's not running? I tried and mine is running under the SYSTEM User Name check Show processes from all users in Task Manager

answered Dec 10 '13 at 16:40

Rubarb

85
2

Launching process from service under system account

2 Answers2