OpenServiceW issue in MMC.exe on Win7

[leetuck]

Hi Guys,

Is anybody having issues hooking OpenServiceW on Window 7 in the Services Control Manager (mmc.exe)?

On Windows Xp everything works fine but on Windows 7 it is either not being called or is not hooking.

Thanks for any help.
Lee

[madshi]

Disassembly of advapi32's OpenServiceW in Windows 7:

Code: Select all

7587ca4c public OpenServiceW:             ; function entry point
7587ca4c   mov     edi, edi
7587ca4e   push    ebp
7587ca4f   mov     ebp, esp
7587ca51   pop     ebp
7587ca52   jmp     loc_7587ca59
7587ca52
7587ca52 ; ---------------------------------------------------------
7587ca52
7587ca59 loc_7587ca59:
7587ca59   jmp     dword ptr [$7587142c]  ; OpenServiceW (sechost.dll)

[leetuck]

Hi Madshi,

Like I said over email if we use command prompt and type "sc query SERVICENAME" or "net stop SERVICENAME" etc then we can intercept "OpenServiceW" on Windows 7.

Whenever you refresh or click a service in SCM ("services.msc") "OpenServiceW" should be called we can't seem to intercept it. We tried running "API Monitor v2" and it logged that "OpenServiceW" was being called. Oddly though, if we attach API Monitor to the "services.msc" when it is first launched then it won't log the "OpenServiceW" api. If "services.msc" is already running and then we attach API monitor to it then the "OpenServiceW" api is logged... weird!

Is this something you can check your side to see what might be happening?

Thanks,
Lee

[madshi]

It seems you didn't look properly at my previous comment. Let me give you a hint:

jmp dword ptr [$7587142c] ; OpenServiceW (sechost.dll)

[leetuck]

haha ... sorry its been a long day!! You are the man, where do I "donate" ?? thanks

[madshi]

Well, give it a try first... Maybe hooking that won't work, either!

[leetuck]

Works perfect!

I'll email you in the morning and buy 3 years worth of support if that's possible?

[madshi]

Yam-yam, thank you!