sc.exe

sc.exe talks to the Service Control Manager, the services.exe process, to manage services and device drivers. Common verbs are sc create, sc config, sc start, sc stop, sc query, sc qc, and sc delete. It can also target another machine by prefixing a UNC server name, as in sc \\host create ..., which manages services remotely. The genuine binary lives at C:\Windows\System32\sc.exe. Its create syntax is distinctive: a space must follow each =, for example binpath= C:\path start= auto.

Legitimately, sc is run by administrators and software installers to set up and control services, usually in a clear maintenance or install context. The service it touches and how it configures that service, both on the command line, are what give an instance meaning.

sc.exe is a standard way to plant service persistence and escalate (T1543.003). sc create <name> binpath= "C:\..." start= auto registers a service the SCM launches as SYSTEM, automatically at boot. The same verb loads drivers: sc create type= kernel is the route used to load malicious or vulnerable signed drivers (bring-your-own-vulnerable-driver). A service binary in a user-writable directory, or one that is cmd.exe or powershell.exe, points to abuse rather than a real install.

Pointed at a remote host, sc becomes lateral movement (T1569.002). sc \\target create followed by sc \\target start creates and runs a service on another machine using current or supplied credentials, the same mechanism PsExec automates. Remote service creation immediately followed by a start is a recognizable cross-network execution pattern.

sc is also used to shut defenses down (T1489). sc stop and sc config start= disabled turn off or permanently disable security tools, and in ransomware, database and backup services before encryption. sc aimed at an AV, EDR, or backup service is high-signal. Because every one of these is a legitimate administrative action, the service name, the binpath, the target host, and the parent are what separate administration from abuse.