Hackerman's Hacking Tutorials

The knowledge of anything, since all things have causes, is not acquired or complete unless it is known by its causes. - Avicenna

Oct 8, 2017 - 4 minute read - Comments - Thick Client Proxying Windows Service

Thick Client Proxying - Part 8 - Notes on Proxying Windows Services

These are my notes about proxying Windows services. Being run from a different account (usually LocalSystem).

Proxy settings are usually configured per user and are not applicable to Windows services.

If you have to proxy a Windows service, here are some of the things you can try (and hope they work).

There are also some issues when using netsh to set WinHTTP proxies for 32-bit applications on Windows 7 64-bit.

Some Background Knowledge

Traditional Techniques or "Try These Anyways"

These are things that usually work for most Windows applications.

WinINET or Internet Explorer Proxy Settings

Usually called the Internet Explorer proxy settings. These usually work for most proxy-aware applications.

Shortcut control inetcpl.cpl,,4.

WinHTTP Proxy Settings

WinHTTP is generally the proxy for Windows services. You can either set specific proxies or tell it to import IE proxy settings (see above).

Run in admin command prompt:

  • Use IE: netsh winhttp import proxy source=ie. Note: You need to set WinINET settings before this command. This command uses a snapshot of IE settings and imports them. If you change IE settings after, it will not get updated and you have to run it again.
  • Set proxy: netsh winhttp set proxy proxy-server="http=localhost:8080;https=localhost:8443" bypass-list="*.whatever.com;localhost".
  • Reset proxy: netsh winhttp reset proxy.

More info: MSDN - Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)

Location in registry:

  • 64-bit (note the line-broken "Internet Settings"):

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSetting

      • You will see something like this:
      0000  28 00 00 00 00 00 00 00 03 00 00 00 28 00 00 00  |(...........(...|
      0010  68 74 74 70 3d 6c 6f 63 61 6c 68 6f 73 74 3a 38  |http=localhost:8|
      0020  30 38 30 3b 68 74 74 70 73 3d 6c 6f 63 61 6c 68  |080;https=localh|
      0030  6f 73 74 3a 38 34 34 33 18 00 00 00 2a 2e 77 68  |ost:8443....*.wh|
      0040  61 74 65 76 65 72 2e 63 6f 6d 3b 6c 6f 63 61 6c  |atever.com;local|
      0050  68 6f 73 74                                      |host|
      
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  • 32-bit:

    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

netsh winhttp for 32-bit Processes on Windows 7 64-bit

Due to the way 32-bit emulation works, they have their own registry and "system32":

  • registry hive: hive\Software\Wow6432Node. E.g. HKCU\Software\Wow6432Node\Microsoft\Windows
  • system32: %WINDIR%\SysWOW64. E.g. C:\windows\SysWOW64

On Windows 7, when you use netsh to write WinHTTP proxy settings, only the 64-bit registry keys are changed. For 32-bit apps you need to explicitly run %WINDIR%\SysWOW64\netsh.exe.

# change winhttp proxy setting
C:\>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  localhost:8100
    Bypass List     :  (none)

# not modified for 32-bit applications
C:\>c:\Windows\SysWOW64\netsh.exe winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

Presumably this has been fixed for later versions of Windows, but double-check to be sure.

Run the Service Executable Manually

This might help bring it under your "jurisdiction" and thus your proxy settings will apply. By default each user has their own proxy settings.

You can use Process Explorer or Process Monitor or other tools to discover the parameters to run the service (if any).

Disable Per-User WinINET Proxy Settings

By default they are per-user, you set the following registry key to 0:

  • HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser

But after this change you will need admin access to modify proxy settings.

.NET Config File

See detailed info in part 7

.NET applications can read settings from config files. This is an XML file named applicationName.exe.config.

Add these settings (configuration is already present in existing config files):

<configuration> 
  <system.net>  
    <defaultProxy>  
      <proxy  
        usesystemdefault="true"   // use IE proxy settings
        proxyaddress="http://192.168.1.10:3128"  // remember to keep "http://" here
        bypassonlocal="true"  
      />  
      <bypasslist>  
        <add address="[a-z]+\.contoso\.com" />  
      </bypasslist>  
    </defaultProxy>  
  </system.net>  
</configuration>  

Note usesystemdefault and proxyaddress are mutually exclusive.

  • Keep http:// in proxy address even if you are using an HTTPS proxy like Burp, it will proxy TLS.
  • Often usesystemdefault does not work because your user and the user running the service are different and have their own proxy settings. Running the service binary manually may help.

Use tools like process monitor to detect if the application is looking for this or any other config file.

.NET Framework Machine Configuration File

You can use a similar config file for the entire machine. Meaning any application running via that .NET framework will use those settings.

Location is %WINDIR%\Microsoft.NET\Framework|Framework64\[version]\Config\machine.config.

Note that you need to change the config for both 32 and 64-bit frameworks (Framework|Framework64) and each version (e.g. 2, 3 or 4) separately.

For example for 64-bit .NET Framework 4.x (anything 4.x is under 4):

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config

To learn more about the config file (which is really recommended) see file machine.config.comments in the same location. It has comments and examples.