[framework] KillAV script update - how to stop an NOT_STOPPABLEservice

roamer iam at hackingyour.net
Thu Sep 9 09:35:10 PDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Any reason you aren't using net stop <service>  ?
I typically use net stop to start/stop services and sc to install/remove 
services.

Chris

On Thu, 9 Sep 2010, Kevin McNamee wrote:

> 
> I have tried to use the “sc” command to stop a service on Windows 7 and
> get the response:
>
> 
> 
> [SC]: OpenService FAILED 5:
> 
> Access is denied.
>
> 
> 
> The service was flagged as “STOPPABLE” and I’m running the “sc” command
> as administrator. Is there something else I have to do on Windows 7 to
> get enhanced privileges in addition to running as admin.
>
> 
> 
> km.
>
> 
> 
> From: framework-bounces at spool.metasploit.com
> [mailto:framework-bounces at spool.metasploit.com] On Behalf Of John Nash
> Sent: Wednesday, September 08, 2010 8:40 AM
> To: framework at spool.metasploit.com
> Subject: [framework] KillAV script update - how to stop an
> NOT_STOPPABLEservice
>
> 
> 
> I tried finding other .exe files running as AVG and also the services
> which are running. However, it is not as simple as "sc stop service_name"
> as you guys mentioned previously
>
> 
> 
> AVG has 2 services in its version 9 free version - avg9wd and avg9emc
>
> 
> 
> avg9emc is a STOPPABLE service and hence can be stopped using "net stop
> avg9emc" or "sc stop avg9emc"
>
> 
> 
> however, avg9wd is an NOT_STOPPABLE service and hence the above 2
> commands will not work on it 
>
> 
> 
> the way you can stop it is to first disable it by using "sc config avg9wd
> start= disabled" and then killing it. This way it will not be restarted
> after it is killed. 
>
> 
> 
> I guess this would change the flow of the script a little, as currently
> it just kills the processes hoping they will not be restarted.
>
> 
> 
> Just want to acknowledge that the above technique was taken from this
> video on securitytube : 
>
> 
> 
> http://securitytube.net/Metasploit-Megaprimer-Part-10-%28Post-Exploitation-Log-D
> eletion-and-AV-Killing%29-video.aspx
>
> 
> 
> http://bit.ly/bLbpFf (in case the above url breaks)
>
> 
> 
> it's a long video but he takes you through all the explanations ... 
>
> 
> 
> i am python guy who is now forced to learn ruby coz of the love for
> metasploit :) if i get free weekend with ruby this week,,,,, i'll try and
> make the changes ..
>
> 
> 
> rgds,
>
> 
> 
> jn
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
>
> 
> 
> 
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkyJDL4ACgkQOyWtx0Mtxawz4ACeKY/rkKhaGt2YVuuIhHLBc8Mc
ckoAnRCOkHHUYAFfvnt9kPRLyQ0wuyRn
=z72g
-----END PGP SIGNATURE-----


More information about the framework mailing list