Admin to SYSTEM: Scheduler Service
This is the first in a series of posts on means to "escalate" from a non-SYSTEM administrative context to the context of SYSTEM.
The first means of performing this escalation is the documented and well-established method of using the scheduler service. The scheduler service is installed with all versions of NT through 2k3, and provides a simple means of scheduling one-time jobs or periodic jobs. Jobs are backed by an on-disk executable image - this means that the code you'd like to run must hit the disk. Because jobs are ultimately a child process of the scheduler services process (svchost.exe in win2k and above), they inherit the user context of the scheduler services, which by default is SYSTEM. Therefore, it is possible to use the scheduler service to run arbitrary code as SYSTEM.
A good way to become familiar with the scheduler service is to use the native Windows command line tool at.exe, which allows you to schedule, view, and delete jobs. You can run regedit.exe interactively in the context of SYSTEM by doing the following:
>at 11:54pm /INTERACTIVE regedit.exe
This assumes that you'd like to run the job at 11:54 PM and that it is before 11:54 PM; if it is after 11:54 PM the job will be scheduled (silently!) for 11:54PM tomorrow. It appears that the scheduler services works on one minute intervals, so you might have to wait a minute for the result.
If you are interested accessing the scheduler service programmatically, you can use the well-documented NetSchedule* API, consisting of NetScheduleJobAdd, NetScheduleJobDel, NetScheduleJobInfo, and NetScheduleJobEnum. Although I happened to be familiar with these APIs, one way you could have determined that these were in fact the APIs to use is to check out the dependencies of at.exe. From the Visual Studio command line, try:
>dumpbin /IMPORTS at.exe
Check out the imported functions from netapi32.dll.
The documentation on MSDN in self-explanatory. I have provided an example program anyway at http://www.dariengap.net/code/schedulersvc.zip.
A few final notes:
The first means of performing this escalation is the documented and well-established method of using the scheduler service. The scheduler service is installed with all versions of NT through 2k3, and provides a simple means of scheduling one-time jobs or periodic jobs. Jobs are backed by an on-disk executable image - this means that the code you'd like to run must hit the disk. Because jobs are ultimately a child process of the scheduler services process (svchost.exe in win2k and above), they inherit the user context of the scheduler services, which by default is SYSTEM. Therefore, it is possible to use the scheduler service to run arbitrary code as SYSTEM.
A good way to become familiar with the scheduler service is to use the native Windows command line tool at.exe, which allows you to schedule, view, and delete jobs. You can run regedit.exe interactively in the context of SYSTEM by doing the following:
>at 11:54pm /INTERACTIVE regedit.exe
This assumes that you'd like to run the job at 11:54 PM and that it is before 11:54 PM; if it is after 11:54 PM the job will be scheduled (silently!) for 11:54PM tomorrow. It appears that the scheduler services works on one minute intervals, so you might have to wait a minute for the result.
If you are interested accessing the scheduler service programmatically, you can use the well-documented NetSchedule* API, consisting of NetScheduleJobAdd, NetScheduleJobDel, NetScheduleJobInfo, and NetScheduleJobEnum. Although I happened to be familiar with these APIs, one way you could have determined that these were in fact the APIs to use is to check out the dependencies of at.exe. From the Visual Studio command line, try:
>dumpbin /IMPORTS at.exe
Check out the imported functions from netapi32.dll.
The documentation on MSDN in self-explanatory. I have provided an example program anyway at http://www.dariengap.net/code/schedulersvc.zip.
A few final notes:
- You can use the scheduler service over RPC to schedule a job on a remote host.
- The scheduler service must be running. You can start the scheduler service either locally or remotely using the Win32 Service API. In particular, check out OpenSCManager, OpenService, and StartService.
- If you'd rather not run a custom executable, you can schedule a custom DLL to "run" through the use of rundll32.exe, or schedule a batch file (which auto-magically is converted to cmd.exe... by CreateProcess)
- You can schedule a job to be backed by an image on a network share. The network share will be accessed via a "NULL" session (in the case of NT 4 and below, or a non-domain host) or in the context of the computer account (2k and up in a domain environment).
posted by sdl529 @ 9:47 PM
2 Comments:
At 5/8/06 12:28 PM,
J.J. said…
Since the scheduler service runs as SYSTEM, scheduled processes only have access to resources on the local computer. I don't have a Windows box handy, so I'll make the assumption at.exe can be provided domain credentials to overcome.
q: when you provide creds, where and how are those stored?
At 8/8/06 8:18 PM,
sdl529 said…
A number of points.
Scheduled processes (running in the context of SYSTEM) do, as my original post alludes to, have access to network resources on win2k+ in a domain environment. Should these two requirements be met, the 0x0-3e7 logon session will include the computer account name and credentials necessary. This is especially useful when the remote resource is DACLed to allow "Authenticated Users" some rights; "domain computers" members are authenticated.
As for your question, I first have to qualify your assumption. There are four revisions of the scheduler service, which I might cover in a later post. The NetSchedule* APIs that I covered are part of the original (NT 3.1) scheduler API. Two APIs were added as of XPSP1/2k3 ([Get|Set]NetScheduleAccountInformation). Additionally, there are the Task Scheduler 1.0 and 2.0 API sets.
Of these, only a subset allow the specification of credentials, and only a subset of those allow the specifiication of credentials on a per job basis, as opposed to applying to the service as a whole.
If and when I post on this subject in depth, I will answer your (very insightful) question about the credentials.
Post a Comment
<< Home