Service List

Overview

Evidence: Service List
Description: Enumerate Service List
Category: System
Platform: windows
Short Name: srvcpr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Windows Services are background processes that run without user interaction, often with SYSTEM privileges. Services are a common persistence mechanism for both legitimate software and malware.

Services are configured in the registry under HKLM\SYSTEM\CurrentControlSet\Services. Each service has an ImagePath or ServiceDll that specifies what code to execute.

Data Collected

This collector gathers structured data about service list.

Service List Data

Field	Description	Example
`KeyPath`	Registry key path	SYSTEM\CurrentControlSet\Services\MyService
`LastWriteTime`	Registry key last write time	2023-10-15T14:30:00
`EntryName`	Service name	MyService
`StartType`	Service start type (0=Boot, 1=System, 2=Automatic, 3=Manual, 4=Disabled)	2
`SourcePath`	Command line (ImagePath or ServiceDll)	C:\Windows\System32\svchost.exe -k netsvcs
`AutorunsServicesRowID`	Foreign key to service entry	1

Collection Method

This collector:

Enumerates all keys under HKLM\SYSTEM\CurrentControlSet\Services\*
Reads service configuration:
- ImagePath - Path to service executable
- ServiceDll (from Parameters subkey) - DLL for svchost-hosted services
- Start - Service start type
- Type - Service type (kernel driver, user-mode service, etc.)
- WOW64 - Whether service is 32-bit
Parses command lines and extracts file paths
Resolves CLSID references if present
Handles both 32-bit and 64-bit registry views

Forensic Value

Service enumeration is critical for detecting persistent threats and system compromises. Investigators use this data to identify malicious services, detect unauthorized service installations, track service configuration changes, identify suspicious service names, verify service executables and DLLs, detect DLL hijacking in svchost, and correlate services with process execution.