Re: KillAV script update - how to stop an NOT_STOPPABLEservice

["Kevin McNamee" <kevin () kindsight net>]

Thanks. When I use psexec to run the command as system, the “sc stop” works fine.

 

Km. 

 

From: Carlos Perez [mailto:carlos_perez () darkoperator com] 
Sent: Thursday, September 09, 2010 12:25 PM
To: Kevin McNamee
Cc: <framework () spool metasploit com>
Subject: Re: [framework] KillAV script update - how to stop an NOT_STOPPABLEservice

 

Is UAC enabled? the registry keys it modifies are in HKLM so if UAC is enabled you will not be able to modify them 
unless you are running as system


Sent from my iPhone


On Sep 9, 2010, at 12:16 PM, "Kevin McNamee" <kevin () kindsight net> wrote:

        I have tried to use the “sc” command to stop a service on Windows 7 and get the response: 

         

        [SC]: OpenService FAILED 5:

        Access is denied. 

         

        The service was flagged as “STOPPABLE” and I’m running the “sc” command as administrator. Is there something 
else I have to do on Windows 7 to get enhanced privileges in addition to running as admin.

         

        km. 

         

        From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of 
John Nash
        Sent: Wednesday, September 08, 2010 8:40 AM
        To: framework () spool metasploit com
        Subject: [framework] KillAV script update - how to stop an NOT_STOPPABLEservice

         

        I tried finding other .exe files running as AVG and also the services which are running. However, it is not as 
simple as "sc stop service_name" as you guys mentioned previously

         

        AVG has 2 services in its version 9 free version - avg9wd and avg9emc

         

        avg9emc is a STOPPABLE service and hence can be stopped using "net stop avg9emc" or "sc stop avg9emc"

         

        however, avg9wd is an NOT_STOPPABLE service and hence the above 2 commands will not work on it 

         

        the way you can stop it is to first disable it by using "sc config avg9wd start= disabled" and then killing it. 
This way it will not be restarted after it is killed. 

         

        I guess this would change the flow of the script a little, as currently it just kills the processes hoping they 
will not be restarted.

         

        Just want to acknowledge that the above technique was taken from this video on securitytube : 

         

        
http://securitytube.net/Metasploit-Megaprimer-Part-10-%28Post-Exploitation-Log-Deletion-and-AV-Killing%29-video.aspx

         

        http://bit.ly/bLbpFf (in case the above url breaks)

         

        it's a long video but he takes you through all the explanations ... 

         

        i am python guy who is now forced to learn ruby coz of the love for metasploit :) if i get free weekend with 
ruby this week,,,,, i'll try and make the changes ..

         

        rgds,

         

        jn

         

         

         

         

         

         

         

        _______________________________________________
        https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework