There's More than One Way to Trigger a Windows Service

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/theres-more-than-one-way-to-trigger-a-windows-service
• Blog Title: There's More than One Way to Trigger a Windows Service
• Suggested Section: Windows -> Privilege Escalation -> Abusing Services -> Service Triggers (enumeration and abuse via named pipes, RPC EPM, ETW, WNF, Aggregate triggers)

🎯 Content Summary

Scope and value
The post (Christopher Paschen, Oct 16, 2025) explains Windows Service Triggers—conditions that start services—and shows how red/blue teams can enumerate and activate them with little or no code. This matters because low-privileged users can indirectly start high-privileged built-in services (e.g., RemoteRegistry, WebClient, EFS), expanding attack surface when SERVICE_START rights are not granted.

Enumerating service triggers
• sc.exe...

🔧 Technical Details

Named pipe trigger to start privileged services: If a service has a Network Endpoint (Named Pipe) trigger, any client connection attempt to \\.\pipe\<PipeName> will start it—even if it isn’t already listening. Low‑priv users can attempt a pipe open (e.g., CreateFile) to force a high‑priv service to start and then interact with it.

RPC endpoint trigger via Endpoint Mapper: Requesting the EPM for a target interface UUID causes the SCM to start the associated service so it can register its endpoint, after which the client connects. An RPC interface lookup alone can therefore boot a privileged service.

ETW‑based start (WebClient example): Services can auto‑start when specific ETW provider events are emitted. For WebClient, the provider {22B6D684‑FA63‑4578‑87C9‑EFFCBE6643C7} (Microsoft‑Windows‑WebdavClient‑LookupServiceTrigger) starts the service upon matching events. Absent extra filters, any event from...

🤖 Agent Actions

I analyzed the TrustedSec post and HackTricks and found there was no dedicated coverage of Windows Service Triggers (enumeration and activation). I added a new page and linked it from the right places.

What I updated/added:

• Created a new page covering Service Triggers

  • Path: src/windows-hardening/windows-local-privilege-escalation/service-triggers.md
  • Content includes:
    • Enumeration: sc.exe qtriggerinfo, Registry TriggerInfo, QueryServiceConfig2(SERVICE_CONFIG_TRIGGER_INFO), remote MS-SCMR (Titanis)
    • High-value triggers and activation:
      • Network Endpoint triggers:
        • Named pipe: simple PowerShell client to open \.\pipe<PipeName>
        • RPC EPM: Impacket rpcdump.py -uuid @127.0.0.1
      • ETW-based triggers (WebClient example provider GUID and logman verification)
      • Group Policy: gpupdate /force
      • IP address: netsh interface disable/enable
      • Device interface arrival
      • Domain join/leave boot semantics
      • WNF trigger type (undocumented)
      • Aggregate triggers (HKLM\SYSTEM\CurrentControlSet\Control\ServiceAggregatedEvents)
      • Firewall Port Event quirks/DoS risk
    • Quick command recap, detection/hardening notes
    • Related section linking to Named Pipe Client Impersonation page
    • References (TrustedSec blog, Microsoft docs, Titanis, BOF sample)

• Linked the new page from Windows LPE README under the Services section

  • File: src/windows-hardening/windows-local-privilege-escalation/README.md
  • Added a short intro to Service Triggers with a {{#ref}} link to the new page

• Added Service Triggers to the Windows LPE checklist

  • File: src/windows-hardening/checklist-windows-privilege-escalation.md
  • New checklist bullet under Services: “Service Triggers: enumerate and trigger privileged services” linking to the new page

• Cross-linked from Named Pipe Client Impersonation page to Service Triggers page

  • File: src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md
  • Added a reference to the new service-triggers.md near the existing “from-high-integrity-to-system-with-name-pipes.md” link

References added at the end of the new page:

• TrustedSec blog URL
• Microsoft QueryServiceConfig2 documentation
• MS-SCMR specification page for the trigger info call
• TrustedSec Titanis repo
• TrustedSec BOF example for qtriggerinfo

No other existing HackTricks pages covered enumeration/activation of Service Triggers (qtriggerinfo/TriggerInfo/WNF/ETW/Aggregate), so a new focused page was necessary, with proper cross-links into the Services section and related Named Pipe impersonation content.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/theres-more-than-one-way-to-trigger-a-windows-service

Content Categories: Based on the analysis, this content was categorized under "Windows -> Privilege Escalation -> Abusing Services -> Service Triggers (enumeration and abuse via named pipes, RPC EPM, ETW, WNF, Aggregate triggers)".

Repository Maintenance:

• MD Files Formatting: 902 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge