Service List
Overview
Evidence: Service List Description: Enumerate Service List Category: System Platform: windows Short Name: srvcpr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes
Background
Windows Services are background processes that run without user interaction, often with SYSTEM privileges. Services are a common persistence mechanism for both legitimate software and malware.
Services are configured in the registry under HKLM\SYSTEM\CurrentControlSet\Services. Each service has an ImagePath or ServiceDll that specifies what code to execute.
Data Collected
This collector gathers structured data about service list.
Service List Data
KeyPath
Registry key path
SYSTEM\CurrentControlSet\Services\MyService
LastWriteTime
Registry key last write time
2023-10-15T14:30:00
EntryName
Service name
MyService
StartType
Service start type (0=Boot, 1=System, 2=Automatic, 3=Manual, 4=Disabled)
2
SourcePath
Command line (ImagePath or ServiceDll)
C:\Windows\System32\svchost.exe -k netsvcs
AutorunsServicesRowID
Foreign key to service entry
1
Collection Method
This collector:
Enumerates all keys under
HKLM\SYSTEM\CurrentControlSet\Services\*Reads service configuration:
ImagePath- Path to service executableServiceDll(from Parameters subkey) - DLL for svchost-hosted servicesStart- Service start typeType- Service type (kernel driver, user-mode service, etc.)WOW64- Whether service is 32-bit
Parses command lines and extracts file paths
Resolves CLSID references if present
Handles both 32-bit and 64-bit registry views
Forensic Value
Service enumeration is critical for detecting persistent threats and system compromises. Investigators use this data to identify malicious services, detect unauthorized service installations, track service configuration changes, identify suspicious service names, verify service executables and DLLs, detect DLL hijacking in svchost, and correlate services with process execution.
Last updated
Was this helpful?