Enumerate
Commands
tasklist /svc
Display running services.
tasklist /svc /fi "imagename eq svchost.exe"
Finds only processes that are svchost.exe and associated services.
tasklist /svc /fi "services eq dnscache"
List Process responsible for a service (DNS Client Service in this case).
tasklist /V /FI "MODULES eq mswsock.dll"
List all process associated with the Windows Socket DLL.
net start
View a list of running services.
net start ^ | find /v /c
Count services.
sc query [ServiceName]
Configuration & status info.
sc queryex state=all
Shows extended information for all services.
sc enumdepend [ServiceName]
Displays service dependencies.
sc enumdepend tapisrv
List the local services that will not run unless the TAPISRV service is running.
sc enumdepend rpcss 6971
List services that depend on RPCSS service, and specify buffer size of 6,971 bytes.
sc qc lanmanworkstation
View the services the "Workstation" service depends upon.
sc qc w32time
Gets properties of ServiceName. Shows exes.
sc getdisplayname "Scheduler"
Gets DisplayName from the KeyName.
sc getkeyname "Task Scheduler"
Gets KeyName from the DisplayName.
Get-Service
PS - Get service listing.
Get-Service | Where-Object {$_.Status -eq "Stopped"}
Show stopped services.
Get-Service | where Status -eq "Stopped"
Show stopped services.
Get-Service -ComputerName <ComputerName>
Retrieves the status of services on a specified remote computer.
Get-CimInstance -ClassName Win32_Service
Services.
Get-WmiObject Win32_Service
Retrieves service objects using WMI.
wmic service Name get pathname
Service cmdline.
wmic service list brief
All services with brief details.
wmic service where "state='running'" get name, displayname
Running services with select properties.
wmic service get name,displayname,startmode,pathname
Services and select properties.
service* sc enumdepend lanmanworkstation
View the services that depend upon the "Workstation" service.
Check services for exe:
reg query "HKLM\System\CurrentControlSet\Services" /s | find /I "nc.exe"
Get all services that the Display Name starts with Windows*. This is not the actual name of the service. The Display (Human Readable) name.
Get-Service -DisplayName 'Windows*'
Allows you to access extended properties such as Description of the service.
Get-Service -Name wuauserv | Select-Object -ExpandProperty Description
Finds the description of a service "wuauserv" if -ExpandedProperty does not work.
Get-CimInstance win32_service | ?{$_.NAME -match "wuauserv"} | select Description
Get cmdline of service or Verbose (/s):
reg query "HKLM\System\CurrentControlSet\Services\<Name>" /v "ImagePath"
reg query "HKLM\System\CurrentControlSet\Services\<Name> /s
Query service by name and show the cmdline:
$service = get-wmiobject -query 'select * from win32_service where name="Name"'; echo $service.pathname
Shows what processes are linked to services:
get-ciminstance -namespace root/cimv2 -classname Win32_service | select-object displayname,state,processid
Filter off of service state:
get-ciminstance -namespace root/cimv2 -classname Win32_service | where-object {$_.state -eq "running"} | select-object displayname,state,processid
Shows services set to bootstart (1).
1 = bootstart, these will be unfamiliar services most likely.
2 = autostart (delayed), which will be services you are more familiar with.
get-itemproperty HKML:\system\currentcontrolset\services* | where-object {$_.start -eq 1} | select description,imagepath,pschildname | format-list
This is a good command to run to make sure that services are running the correct processes.
This is how to list DLLs that specific programs are loading. Only works on running programs.
By Name (use the name used in the process list):
get-process | where-object {$_.name -eq "cmd"} | select-object -ExpandProperty modules | select-object filename
By Process ID:
get-process | where-object {$_.id -eq 5648} | select-object -ExpandProperty modules | select-object filename
Remote
sc \\xp.ops.local query type=service
Remote query
sc \\xp.ops.local getkeyname "Windows Firewall/Internet Connection Sharing (ICS)"
Returns keyname of "sharedaccess"
sc \\xp.ops.local query sharedaccess
Returns Description and Status of the Windows "Security Center" service
Creates 1-to-1 Temporary Session:
Invoke-Command -ComputerName File-Server {Get-Service}
Running a Temporary Session as a Job:
Invoke-Command -ComputerName File-Server,Domain-Controll,Workstation2 {Get-Service} -asjob
Running a Temporary Session as a Job:
Invoke-Command -ComputerName File-Server,Domain-Controll,Workstation2 {Get-Service} -asjob
Displays the job's Results:
Receive-Job <job #>
-> don't forget winrm quickconfig -q
if using PS3+ for PSSession/CIMSession Remote
get-ciminstance -classname win32_service -filter "state like 'running'" | select name
Create CimSession or PSSession:
$c = New-CimSession -ComputerName win10 -Credential barney
Get running services on Win10, pipe the CimInstance in:
$c | Get-CimInstance -ClassName Win32_Service -filter "State like 'Running'
Get service status:
Get-CimInstance Win32_Service -Filter "Name='Spooler'" -CimSession $c | Selectlogging Name,State
Start service:
Get-CimInstance Win32_Service -Filter "Name='Spooler'" -CimSession $c | Invoke-CimMethod -Name StartService
Remote For PS3 -> PS2
$dopt = New-CimSessionOption -Protocol Dcom
$d = New-CimSession -ComputerName win7 -Credential fred -SessionOption $dopt
$d | Get-CimInstance -ClassName Win32_Service -filter "State like 'Running'"
Registry Locations
Last updated
Was this helpful?