Enumerate

Commands

tasklist /svc

Display running services.

tasklist /svc /fi "imagename eq svchost.exe"

Finds only processes that are svchost.exe and associated services.

tasklist /svc /fi "services eq dnscache"

List Process responsible for a service (DNS Client Service in this case).

tasklist /V /FI "MODULES eq mswsock.dll"

List all process associated with the Windows Socket DLL.

net start

View a list of running services.

net start ^ | find /v /c

Count services.

sc query [ServiceName]

Configuration & status info.

sc queryex state=all

Shows extended information for all services.

sc enumdepend [ServiceName]

Displays service dependencies.

sc enumdepend tapisrv

List the local services that will not run unless the TAPISRV service is running.

sc enumdepend rpcss 6971

List services that depend on RPCSS service, and specify buffer size of 6,971 bytes.

sc qc lanmanworkstation

View the services the "Workstation" service depends upon.

sc qc w32time

Gets properties of ServiceName. Shows exes.

sc getdisplayname "Scheduler"

Gets DisplayName from the KeyName.

sc getkeyname "Task Scheduler"

Gets KeyName from the DisplayName.

Get-Service

PS - Get service listing.

Get-Service | Where-Object {$_.Status -eq "Stopped"}

Show stopped services.

Get-Service | where Status -eq "Stopped"

Show stopped services.

Get-Service -ComputerName <ComputerName>

Retrieves the status of services on a specified remote computer.

Get-CimInstance -ClassName Win32_Service

Services.

Get-WmiObject Win32_Service

Retrieves service objects using WMI.

wmic service Name get pathname

Service cmdline.

wmic service list brief

All services with brief details.

wmic service where "state='running'" get name, displayname

Running services with select properties.

wmic service get name,displayname,startmode,pathname

Services and select properties.

service* sc enumdepend lanmanworkstation

View the services that depend upon the "Workstation" service.

Check services for exe:

reg query "HKLM\System\CurrentControlSet\Services" /s | find /I "nc.exe"

Get all services that the Display Name starts with Windows*. This is not the actual name of the service. The Display (Human Readable) name.

Get-Service -DisplayName 'Windows*'

Allows you to access extended properties such as Description of the service.

Get-Service -Name wuauserv | Select-Object -ExpandProperty Description

Finds the description of a service "wuauserv" if -ExpandedProperty does not work.

Get-CimInstance win32_service | ?{$_.NAME -match "wuauserv"} | select Description

Get cmdline of service or Verbose (/s):

reg query "HKLM\System\CurrentControlSet\Services\<Name>" /v "ImagePath"
reg query "HKLM\System\CurrentControlSet\Services\<Name> /s

Query service by name and show the cmdline:

$service = get-wmiobject -query 'select * from win32_service where name="Name"'; echo $service.pathname

Shows what processes are linked to services:

get-ciminstance -namespace root/cimv2 -classname Win32_service | select-object displayname,state,processid

Filter off of service state:

get-ciminstance -namespace root/cimv2 -classname Win32_service | where-object {$_.state -eq "running"} | select-object displayname,state,processid

Shows services set to bootstart (1).

1 = bootstart, these will be unfamiliar services most likely.

2 = autostart (delayed), which will be services you are more familiar with.

get-itemproperty HKML:\system\currentcontrolset\services* | where-object {$_.start -eq 1} | select description,imagepath,pschildname | format-list

This is a good command to run to make sure that services are running the correct processes.

This is how to list DLLs that specific programs are loading. Only works on running programs.

By Name (use the name used in the process list):

get-process | where-object {$_.name -eq "cmd"} | select-object -ExpandProperty modules | select-object filename

By Process ID:

get-process | where-object {$_.id -eq 5648} | select-object -ExpandProperty modules | select-object filename

Remote

sc \\xp.ops.local query type=service

Remote query

sc \\xp.ops.local getkeyname "Windows Firewall/Internet Connection Sharing (ICS)"

Returns keyname of "sharedaccess"

sc \\xp.ops.local query sharedaccess

Returns Description and Status of the Windows "Security Center" service

Creates 1-to-1 Temporary Session:

Invoke-Command -ComputerName File-Server {Get-Service}

Running a Temporary Session as a Job:

Invoke-Command -ComputerName File-Server,Domain-Controll,Workstation2 {Get-Service} -asjob

Running a Temporary Session as a Job:

Invoke-Command -ComputerName File-Server,Domain-Controll,Workstation2 {Get-Service} -asjob

Displays the job's Results:

Receive-Job <job #>

-> don't forget winrm quickconfig -q if using PS3+ for PSSession/CIMSession Remote

get-ciminstance -classname win32_service -filter "state like 'running'" | select name

Create CimSession or PSSession:

$c = New-CimSession -ComputerName win10 -Credential barney

Get running services on Win10, pipe the CimInstance in:

$c | Get-CimInstance -ClassName Win32_Service -filter "State like 'Running'

Get service status:

Get-CimInstance Win32_Service -Filter "Name='Spooler'" -CimSession $c | Selectlogging Name,State

Start service:

Get-CimInstance Win32_Service -Filter "Name='Spooler'" -CimSession $c | Invoke-CimMethod -Name StartService

Remote For PS3 -> PS2

$dopt = New-CimSessionOption -Protocol Dcom
$d = New-CimSession -ComputerName win7 -Credential fred -SessionOption $dopt
$d | Get-CimInstance -ClassName Win32_Service -filter "State like 'Running'"

Registry Locations

PreviousServicesNextModify

Last updated

Was this helpful?