Services Registry Keys

The Services registry key, located in the SYSTEM hive, stores information regarding installed services on the endpoint. It is useful when searching for evidence of persistence mechanisms on an endpoint.

Analysis Value

Operating System Availability

Artifact Location(s)

  • File: %SystemRoot%\system32\config\SYSTEM


For more information on determining the correct CurrentControlSet, visit Select Registry Key

Artifact Parsers

  • RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the Services key you will find subkeys, one for each service installed on an endpoint.

The values within this key may be interpreted as follows:

The Last Write Timestamp for each service key represents the time at which the service was installed or modified.

Additionally, for each service there may be an optional Parameters subkey. This key may contain any options that are passed to the executable when the service is started. Certain service installers such as NSSM (Non-Sucking Service Manager) will show the "true" executable for the service under this Parameters key.

Interpreting the Start Value

Last updated