Overview
Windows services can be configured with recovery actions that execute when the service fails. If you can modify a service’s recovery settings, you can make it run arbitrary commands as SYSTEM on failure.Check Current Recovery Config
Recovery Action Types
| Action | Description |
|---|---|
restart | Restart the service |
reboot | Reboot the machine |
run | Run a command/program |
Exploit — Set Recovery to Run Command
Requirements
SERVICE_CHANGE_CONFIGpermission on the service- Or membership in a group that can manage the service
Check Permissions
Set Malicious Recovery Action
| Parameter | Meaning |
|---|---|
reset= 0 | Reset failure count after 0 seconds |
actions= run/0/run/0/run/0 | Run command on 1st, 2nd, 3rd failure (0ms delay) |
command= | Command to execute on failure |
Trigger Failure
Stop the service (causes failure on restart attempt):Add Admin User on Failure
SUID Bash on Failure
PowerShell — Modify Recovery
Find Services with Existing Recovery Commands
Quick Reference
| Step | Command |
|---|---|
| Check permissions | accesschk.exe -ucqv "Users" ServiceName |
| Set recovery action | sc failure ServiceName reset= 0 actions= run/0 command= "cmd" |
| Trigger failure | sc stop ServiceName or taskkill /f /pid PID |
| Find existing commands | Loop through services with sc qfailure |