Jump to content

SC create/delete/modify services command

TranceEnergy

By TranceEnergy
in Software Hangout

 Share

Recommended Posts

TranceEnergy

TranceEnergy

Posted
Posted

Hi!

sc command:

quote: "DESCRIPTION: SC is a command line program used for communicating with the NT Service Controller and services."

To summarize post in 2 short questions:

#1. What changes does it actually do? and

#2. If possible how can i replicate the steps that the sc delete&create command does without using SC. I believe i could achieve the same effect with export/import registry changes with reged by command line etc.

Im just curious to how the SC actually works. if i specify to delete a service then what does that do?

Does it only delete it from the registry? It seems so to me, but since i dont have a way of recording what it does, i can't know for sure 100% what actually happens.

I use it to delete some services and it works great, i know it doesnt delete the files for it etc, not that i know of anyway.

Well now that i think of it i could just set all files to same date and time and see afterwards if anything changes, but neeeh.

I either want to use the SC command to do my work, but if it only does registry changes, then maybe, just maybe, i'd be better off just exporting registry before deletion, to use for

adding service back into the game. However i assume the command does some kind of calling the the service command console to notify system that service is being installed/now available, - or not as the case may be.

Thanks!

Link to comment
Share on other sites

TranceEnergy

TranceEnergy

Posted
  • Author
Posted

That says how to use SC.

I know enough on how to use it, my question is what does it do actually, i want to know more details on what it does.

Say if i delete a service with it, does it only do changes to registry? does it edit .inf files? Does it call external processes to do work?

Does it change registry entries only on local machine.

I know my question is far fetched perhaps, still. I'm curious. I want to understand what really happens.

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
That says how to use SC.

I know enough on how to use it, my question is what does it do actually, i want to know more details on what it does.

Say if i delete a service with it, does it only do changes to registry? does it edit .inf files? Does it call external processes to do work?

Does it change registry entries only on local machine.

I know my question is far fetched perhaps, still. I'm curious. I want to understand what really happens.

Well, if you want to know what it does (at least with public APIs and MSDN searching), use procmon to monitor the sc command doing whatever it is you want to trace, and then configure it for the public symbol server and you can see callstacks.

Public symbol server notation for procmon is:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

(insert whatever local folder you want to use to cache symbol info for "c:\symbols", of course)

Link to comment
Share on other sites
GrofLuigi

GrofLuigi

Posted
Posted
I know enough on how to use it, my question is what does it do actually, i want to know more details on what it does.

From what I've seen, it deletes the service entries in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum . And it does it properly - never had a problem with it. I haven't seen it touch anything anything else, but I wouldn't guarantee it doesn't - maybe I haven't hit the right ones. It doesn't touch inf files or anything in the filesystem. I always monitor all my changes with Total Uninstall (last free version) which doesn't monitor permissions, but I've checked few times and saw no changes.

Tip: Neither SC nor NLite remove entries from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\(Application/Security/System) (and I think it would be difficult/dangerous to automate them), but there is one place that a removed service can hide. Another is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost which can be cleaned up if all services from a group are removed. :sneaky:

GL

Link to comment
Share on other sites
TranceEnergy

TranceEnergy

Posted
  • Author
Posted

cluberti:

concerning procmon, making note on desktop. Ill check it out. I've yet to see a tool like Snoopdos was on amiga for pc tho, that would be the killer.

GL:

Agree. I havent seen it do anything then what you say either. I am just merely curious if it really is all and if potentially some services are treated differently, but i guess not. Still, my point is that it would still just be a guess, i wouldnt know 100% safely that that was only what it did.

But thanks :thumbup , it's good to get somewhat confirmation on one's suspicions.

I'm doing the whole batch file process of removing crap from windows, (including things nlite can't do), and in the process of doing so i thought it would be fun if it was possible to revert the process, to have backup, and it kind of turned into a monster i never planned on, but i guess thats the usual.

Link to comment
Share on other sites
jaclaz

jaclaz

Posted
Posted
That says how to use SC.

I know enough on how to use it, my question is what does it do actually, i want to know more details on what it does.

I'll try again:

commands:

.....

create Create a service. (add it to the registry)

.....

delete Delete a service (from the registry)

.....

(bolding is mine)

No poor, innocent .inf file will be harmed in the process. ;)

jaclaz

Link to comment
Share on other sites
TranceEnergy

TranceEnergy

Posted
  • Author
Posted

Yeah i've read that, but still.. Anyway, ill try using sc to re-create the services too then, that i delete.

Found out i already had procmon,( Had renamed it to Process Monitor) it doesnt seem like the same deal imho xD. Close tho.

I see VMware trying to access Distributed transaction coordinator registry values, even tho service is delete with nlite on my host install.

Link to comment
Share on other sites
TranceEnergy

TranceEnergy

Posted
  • Author
Posted (edited)

I've done some more googling on "sc create" command and it seems to just be able to create a service that points to a exe file.

Well i deleted Hidserv service and want to re-create it but i cant seem to find what exe to point it at, doesnt seem to exist?

At this point i think maybe it would be better to be able to move the service data in registry to a bakup location in registry, so it doesnt appear in services.msc etc, and not available for windows, but one are able to restore it then?

Edited by TranceEnergy
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...