Enumerate
Commands
tasklist /svc
Display running services.
tasklist /svc /fi "imagename eq svchost.exe"
Finds only processes that are svchost.exe and associated services.
tasklist /svc /fi "services eq dnscache"
List Process responsible for a service (DNS Client Service in this case).
tasklist /V /FI "MODULES eq mswsock.dll"
List all process associated with the Windows Socket DLL.
net start
View a list of running services.
net start ^ | find /v /c
Count services.
sc query [ServiceName]
Configuration & status info.
sc queryex state=all
Shows extended information for all services.
sc enumdepend [ServiceName]
Displays service dependencies.
sc enumdepend tapisrv
List the local services that will not run unless the TAPISRV service is running.
sc enumdepend rpcss 6971
List services that depend on RPCSS service, and specify buffer size of 6,971 bytes.
sc qc lanmanworkstation
View the services the "Workstation" service depends upon.
sc qc w32time
Gets properties of ServiceName. Shows exes.
sc getdisplayname "Scheduler"
Gets DisplayName from the KeyName.
sc getkeyname "Task Scheduler"
Gets KeyName from the DisplayName.
Get-Service
PS - Get service listing.
Get-Service | Where-Object {$_.Status -eq "Stopped"}
Show stopped services.
Get-Service | where Status -eq "Stopped"
Show stopped services.
Get-Service -ComputerName <ComputerName>
Retrieves the status of services on a specified remote computer.
Get-CimInstance -ClassName Win32_Service
Services.
Get-WmiObject Win32_Service
Retrieves service objects using WMI.
wmic service Name get pathname
Service cmdline.
wmic service list brief
All services with brief details.
wmic service where "state='running'" get name, displayname
Running services with select properties.
wmic service get name,displayname,startmode,pathname
Services and select properties.
service* sc enumdepend lanmanworkstation
View the services that depend upon the "Workstation" service.
Check services for exe:
Get all services that the Display Name starts with Windows*. This is not the actual name of the service. The Display (Human Readable) name.
Allows you to access extended properties such as Description of the service.
Finds the description of a service "wuauserv" if -ExpandedProperty does not work.
Get cmdline of service or Verbose (/s):
Query service by name and show the cmdline:
Shows what processes are linked to services:
Filter off of service state:
Shows services set to bootstart (1).
1 = bootstart, these will be unfamiliar services most likely.
2 = autostart (delayed), which will be services you are more familiar with.
This is a good command to run to make sure that services are running the correct processes.
This is how to list DLLs that specific programs are loading. Only works on running programs.
By Name (use the name used in the process list):
By Process ID:
Remote
sc \\xp.ops.local query type=service
Remote query
sc \\xp.ops.local getkeyname "Windows Firewall/Internet Connection Sharing (ICS)"
Returns keyname of "sharedaccess"
sc \\xp.ops.local query sharedaccess
Returns Description and Status of the Windows "Security Center" service
Creates 1-to-1 Temporary Session:
Running a Temporary Session as a Job:
Running a Temporary Session as a Job:
Displays the job's Results:
-> don't forget winrm quickconfig -q if using PS3+ for PSSession/CIMSession Remote
Create CimSession or PSSession:
Get running services on Win10, pipe the CimInstance in:
Get service status:
Start service:
Remote For PS3 -> PS2
Registry Locations
Last updated
Was this helpful?