Overview
The Services command enumerates Windows services on the system. By default, it filters out Microsoft-signed services to highlight potentially interesting third-party services, custom services, and security products. Use the-full flag to enumerate all services without filtering.
Syntax
This command does not support remote execution for standard enumeration.
Output
Returns service information:- Service name
- Display name
- Company name
- Service state (Running, Stopped)
- Start type (Auto, Manual, Disabled)
- Service path
- Service account
Use Cases
- Red Team
- Blue Team
- Identify security products and monitoring services
- Find services running as SYSTEM or privileged accounts
- Discover unquoted service paths
- Locate modifiable service binaries
- Identify services for persistence
Example Output
Remote Execution
Detection Considerations
Low detection risk - service enumeration is common administrative activity.
- API Calls: Uses Service Control Manager (SCM) APIs
- WMI Queries: May use WMI for additional service details
- EDR Telemetry: Service enumeration may be logged
Related Commands
- AutoRuns - Auto-start programs including services
- Processes - Running processes
- InterestingProcesses - Security products
- AntiVirus - Registered antivirus