Im guessing many of you use the svrany tool to setup services (e.g. ftp, etc).
Now, in the registry if you go to hklm\system\currentcontrolset\services\servicename\ and open the binary key FailureActions you can set the service to restart on 1st failure, and reboot on 2nd failure...perfect for all the warez kiddies!
Now, you will see that the current binary values at bit 14 and bit 1C contain value 00 in both cases.
Change bit 14 to value 01 and bit 1C to value 02 and the service will behave as i described.
Now for the interesting part. This can all set from cmd.exe:
reg add hklm\system\currentcontrolset\services\test /v FailureActions /t REG_BINARY
/d 00000000000000000000000003000000770073000100000060EA00000200000060EA000000000
00000000000
Give it a try and let me know if you find any other useful bits that can be changed in here.
Full Version: Automatically Restarting Services
I should probably be a bit more clear. The reg key hklm\system\currentcontrolset\services\servicename\FailureActions is not there by default. But if you add the key using the dos command i gave, then it will restart automatically if the service is closed, and if this fails, reboot the machine.
For instance, if you use the command:
services CREATESVRANY "myMalware" "myLongMalwareName" "c:\windows\svrany.exe" "c:\windows\system32\notsuspicousname.exe"
Then it will create a new service to run your program via the svrany.exe tool.
This will appear in the registry as hklm\system\currentcontrolset\services\myMalware\
which is where the services settings are.
To enable restarting of the service on closure etc, you would use the command:
reg add hklm\system\currentcontrolset\services\myMalware /v FailureActions /t REG_BINARY
/d 00000000000000000000000003000000770073000100000060EA00000200000060EA000000000
00000000000
Hopefully this is useful to some people here.
For instance, if you use the command:
services CREATESVRANY "myMalware" "myLongMalwareName" "c:\windows\svrany.exe" "c:\windows\system32\notsuspicousname.exe"
Then it will create a new service to run your program via the svrany.exe tool.
This will appear in the registry as hklm\system\currentcontrolset\services\myMalware\
which is where the services settings are.
To enable restarting of the service on closure etc, you would use the command:
reg add hklm\system\currentcontrolset\services\myMalware /v FailureActions /t REG_BINARY
/d 00000000000000000000000003000000770073000100000060EA00000200000060EA000000000
00000000000
Hopefully this is useful to some people here.
| QUOTE |
| then it will restart automatically if the service is closed, and if this fails, reboot the machine |
This is a risky thing to do. I once changed the values of the key hklm\system\currentcontrolset\services\servicename\ to spoof my services, and it didn't work straight away. If the service fails when the computer boots, and keeps on failing, the computer will reboot and reboot, is that it ?
But i guess you will have like 30sc everytime to try and fix the prob before the comps restarts
On a 3rd failure the service manager will take no action. So this is not a problem.
Good info. I always make sure that I dont set my services to do that, but, could be worth a try to see what happens 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
