Services Registry Keys

The Services registry key, located in the SYSTEM hive, stores information regarding installed services on the endpoint. It is useful when searching for evidence of persistence mechanisms on an endpoint.

Analysis Value

pageFile Path

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact Location(s)

  • File: %SystemRoot%\system32\config\SYSTEM

  • Key: SYSTEM\{CURRENT_CONTROL_SET}\Services

For more information on determining the correct CurrentControlSet, visit Select Registry Key

Artifact Parsers

  • RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the Services key you will find subkeys, one for each service installed on an endpoint.

The values within this key may be interpreted as follows:

ValueInterpretation

DisplayName

The name of the service as it would appear in services.msc

Description

The description of the service as it would appear in services.msc

ImagePath

The path to the executable for this service

Start

Start mode of the service

Type

Type of service

The Last Write Timestamp for each service key represents the time at which the service was installed or modified.

Additionally, for each service there may be an optional Parameters subkey. This key may contain any options that are passed to the executable when the service is started. Certain service installers such as NSSM (Non-Sucking Service Manager) will show the "true" executable for the service under this Parameters key.

Interpreting the Start Value

ValueInterpretation

0

Boot - Service is a device driver

1

System - Service is a device driver

2

Automatic - Service and all of its dependency services is started on boot by the OS

3

Manual - Service is started manually by user interaction

4

Disabled - Service is disabled and cannot be started automatically or manually

Last updated