# Enumerate ## Commands

Command	Description
`tasklist /svc`	Display running services.
`tasklist /svc /fi "imagename eq svchost.exe"`	Finds only processes that are svchost.exe and associated services.
`tasklist /svc /fi "services eq dnscache"`	List Process responsible for a service (DNS Client Service in this case).
`tasklist /V /FI "MODULES eq mswsock.dll"`	List all process associated with the Windows Socket DLL.
`net start`	View a list of running services.
`net start ^ \| find /v /c`	Count services.
`sc query [ServiceName]`	Configuration & status info.
`sc queryex state=all`	Shows extended information for all services.
`sc enumdepend [ServiceName]`	Displays service dependencies.
`sc enumdepend tapisrv`	List the local services that will not run unless the TAPISRV service is running.
`sc enumdepend rpcss 6971`	List services that depend on RPCSS service, and specify buffer size of 6,971 bytes.
`sc qc lanmanworkstation`	View the services the "Workstation" service depends upon.
`sc qc w32time`	Gets properties of ServiceName. Shows exes.
`sc getdisplayname "Scheduler"`	Gets DisplayName from the KeyName.
`sc getkeyname "Task Scheduler"`	Gets KeyName from the DisplayName.
`Get-Service`	PS - Get service listing.
`Get-Service \| Where-Object {$_.Status -eq "Stopped"}`	Show stopped services.
`Get-Service \| where Status -eq "Stopped"`	Show stopped services.
`Get-Service -ComputerName <ComputerName>`	Retrieves the status of services on a specified remote computer.
`Get-CimInstance -ClassName Win32_Service`	Services.
`Get-WmiObject Win32_Service`	Retrieves service objects using WMI.
`wmic service Name get pathname`	Service cmdline.
`wmic service list brief`	All services with brief details.
`wmic service where "state='running'" get name, displayname`	Running services with select properties.
`wmic service get name,displayname,startmode,pathname`	Services and select properties.
`service* sc enumdepend lanmanworkstation`	View the services that depend upon the "Workstation" service.

Check services for exe: ```powershell reg query "HKLM\System\CurrentControlSet\Services" /s | find /I "nc.exe" ``` Get all services that the Display Name starts with Windows\*. This is not the actual name of the service. The Display (Human Readable) name. ```powershell Get-Service -DisplayName 'Windows*' ``` Allows you to access extended properties such as Description of the service. ```powershell Get-Service -Name wuauserv | Select-Object -ExpandProperty Description ``` Finds the description of a service "wuauserv" if -ExpandedProperty does not work. ```powershell Get-CimInstance win32_service | ?{$_.NAME -match "wuauserv"} | select Description ``` Get cmdline of service or Verbose (/s): ```powershell reg query "HKLM\System\CurrentControlSet\Services\" /v "ImagePath" ``` ```powershell reg query "HKLM\System\CurrentControlSet\Services\ /s ``` Query service by name and show the cmdline: ```powershell $service = get-wmiobject -query 'select * from win32_service where name="Name"'; echo $service.pathname ``` Shows what processes are linked to services: {% code overflow="wrap" %} ```powershell get-ciminstance -namespace root/cimv2 -classname Win32_service | select-object displayname,state,processid ``` {% endcode %} Filter off of service state: {% code overflow="wrap" %} ```powershell get-ciminstance -namespace root/cimv2 -classname Win32_service | where-object {$_.state -eq "running"} | select-object displayname,state,processid ``` {% endcode %} Shows services set to bootstart (**1**). **1** = **bootstart**, these will be unfamiliar services most likely. **2** = **autostart (delayed)**, which will be services you are more familiar with. {% code overflow="wrap" %} ```powershell get-itemproperty HKML:\system\currentcontrolset\services* | where-object {$_.start -eq 1} | select description,imagepath,pschildname | format-list ``` {% endcode %} This is a good command to run to make sure that services are running the correct processes. This is how to list DLLs that specific programs are loading. Only works on running programs. By Name (use the name used in the process list): {% code overflow="wrap" %} ```powershell get-process | where-object {$_.name -eq "cmd"} | select-object -ExpandProperty modules | select-object filename ``` {% endcode %} By Process ID: {% code overflow="wrap" %} ```powershell get-process | where-object {$_.id -eq 5648} | select-object -ExpandProperty modules | select-object filename ``` {% endcode %} ## Remote

Command	Description
`sc \\xp.ops.local query type=service`	Remote query
`sc \\xp.ops.local getkeyname "Windows Firewall/Internet Connection Sharing (ICS)"`	Returns keyname of "sharedaccess"
`sc \\xp.ops.local query sharedaccess`	Returns Description and Status of the Windows "Security Center" service

Creates 1-to-1 Temporary Session: ```powershell Invoke-Command -ComputerName File-Server {Get-Service} ``` Running a Temporary Session as a Job: ```powershell Invoke-Command -ComputerName File-Server,Domain-Controll,Workstation2 {Get-Service} -asjob ``` Running a Temporary Session as a Job: ```powershell Invoke-Command -ComputerName File-Server,Domain-Controll,Workstation2 {Get-Service} -asjob ``` Displays the job's Results: ```powershell Receive-Job ``` -> don't forget `winrm quickconfig -q` if using PS3+ for PSSession/CIMSession Remote ```powershell get-ciminstance -classname win32_service -filter "state like 'running'" | select name ``` Create CimSession or PSSession: ```powershell $c = New-CimSession -ComputerName win10 -Credential barney ``` Get running services on Win10, pipe the CimInstance in: ```powershell $c | Get-CimInstance -ClassName Win32_Service -filter "State like 'Running' ``` Get service status: ```powershell Get-CimInstance Win32_Service -Filter "Name='Spooler'" -CimSession $c | Selectlogging Name,State ``` Start service: ```powershell Get-CimInstance Win32_Service -Filter "Name='Spooler'" -CimSession $c | Invoke-CimMethod -Name StartService ``` ### Remote For PS3 -> PS2 ``` $dopt = New-CimSessionOption -Protocol Dcom $d = New-CimSession -ComputerName win7 -Credential fred -SessionOption $dopt $d | Get-CimInstance -ClassName Win32_Service -filter "State like 'Running'" ``` ## Registry Locations --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.shellspells.net/windows/system-ops/services/enumerate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.