I'm trying to understand the difference between how things are executed when running under a NT_AUTHORITY LOCAL SERVICE account that run on startup, vs by the user. I have an executable that spawns a child process running rundll32.exe <SOME DLL NAME HERE>
. When I run the exe as a user, or from cli, the DLL is loaded by rundll32.exe and everything works just fine (I'm having it just open calc.exe as an experiment). However, when I restart my machine and the exe is started up by a service, I see in Process Explorer that rundll32.exe is running, with all of the same arguments that I would expect it to spawn, but the results aren't the same, there's no calc.exe process that gets created as a result of the dll being run. What are some things that I need to understand in order to figure out how this is working? And what are some other ways that I can experiment with loading an exe/dll from a service that executes a child process in the same way that a user or cli would?
Edit:
Likewise, I have another exe that I've created that loads a DLL directly (not spawning rundll32.exe and loading it like the above example), and when I click it as a user to run it, the exe loads the DLL and spawns calc.exe. But when the same exe is run from a service, no calc.exe is spawned.