Back to binalyze.com

Service List

Overview

Evidence: Service List Description: Enumerate Service List Category: Persistence Platform: Windows Short Name: srvcpr Is Parsed: Yes - Service registry data parsed with file information Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Services are background processes that run without user interaction, often with SYSTEM privileges. Services are a common persistence mechanism for both legitimate software and malware.

Services are configured in the registry under HKLM\SYSTEM\CurrentControlSet\Services. Each service has an ImagePath or ServiceDll that specifies what code to execute.

Data Collected

Autoruns Services Table

Field
Description
Example

KeyPath

Registry key path

SYSTEM\CurrentControlSet\Services\MyService

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

EntryName

Service name

MyService

StartType

Service start type (0=Boot, 1=System, 2=Automatic, 3=Manual, 4=Disabled)

2

SourcePath

Command line (ImagePath or ServiceDll)

C:\Windows\System32\svchost.exe -k netsvcs

File information columns for the main executable

Autoruns Services Arguments Table

Field
Description
Example

AutorunsServicesRowID

Foreign key to service entry

1

File information columns for each argument file path

Collection Method

This collector:

  • Enumerates all keys under HKLM\SYSTEM\CurrentControlSet\Services\*

  • Reads service configuration:

    • ImagePath - Path to service executable

    • ServiceDll (from Parameters subkey) - DLL for svchost-hosted services

    • Start - Service start type

    • Type - Service type (kernel driver, user-mode service, etc.)

    • WOW64 - Whether service is 32-bit

  • Parses command lines and extracts file paths

  • Resolves CLSID references if present

  • Handles both 32-bit and 64-bit registry views

Usage

Service enumeration is critical for detecting persistent threats and system compromises. Investigators use this data to identify malicious services, detect unauthorized service installations, track service configuration changes, identify suspicious service names, verify service executables and DLLs, detect DLL hijacking in svchost, and correlate services with process execution.

Known Limitations

  • Only captures configured services

  • Doesn't indicate if service is currently running

  • Service state changes frequently

  • Many legitimate services create noise

Notes

Pay attention to services with:

  • Unusual start types (boot/system start for non-drivers)

  • Services in non-standard locations

  • Services with suspicious names

  • Recently modified registry keys

  • Services referencing executables in temp directories

PreviousScheduled TasksNextShadow Copy as CSV

Last updated

Was this helpful?