# Service List

## Overview

**Evidence:** Service List\
**Description:** Enumerate Service List\
**Category:** System\
**Platform:** windows\
**Short Name:** srvcpr\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Windows Services are background processes that run without user interaction, often with SYSTEM privileges. Services are a common persistence mechanism for both legitimate software and malware.

Services are configured in the registry under `HKLM\SYSTEM\CurrentControlSet\Services`. Each service has an ImagePath or ServiceDll that specifies what code to execute.

## Data Collected

This collector gathers structured data about service list.

### Service List Data

| Field                   | Description                                                              | Example                                     |
| ----------------------- | ------------------------------------------------------------------------ | ------------------------------------------- |
| `KeyPath`               | Registry key path                                                        | SYSTEM\CurrentControlSet\Services\MyService |
| `LastWriteTime`         | Registry key last write time                                             | 2023-10-15T14:30:00                         |
| `EntryName`             | Service name                                                             | MyService                                   |
| `StartType`             | Service start type (0=Boot, 1=System, 2=Automatic, 3=Manual, 4=Disabled) | 2                                           |
| `SourcePath`            | Command line (ImagePath or ServiceDll)                                   | C:\Windows\System32\svchost.exe -k netsvcs  |
| `AutorunsServicesRowID` | Foreign key to service entry                                             | 1                                           |

## Collection Method

This collector:

* Enumerates all keys under `HKLM\SYSTEM\CurrentControlSet\Services\*`
* Reads service configuration:
  * `ImagePath` - Path to service executable
  * `ServiceDll` (from Parameters subkey) - DLL for svchost-hosted services
  * `Start` - Service start type
  * `Type` - Service type (kernel driver, user-mode service, etc.)
  * `WOW64` - Whether service is 32-bit
* Parses command lines and extracts file paths
* Resolves CLSID references if present
* Handles both 32-bit and 64-bit registry views

## Forensic Value

Service enumeration is critical for detecting persistent threats and system compromises. Investigators use this data to identify malicious services, detect unauthorized service installations, track service configuration changes, identify suspicious service names, verify service executables and DLLs, detect DLL hijacking in svchost, and correlate services with process execution.