# Services Registry Keys The `Services` registry key, located in the `SYSTEM` hive, stores information regarding installed services on the endpoint. It is useful when searching for evidence of persistence mechanisms on an endpoint. ## Analysis Value {% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %} [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ✅ | | Windows XP | ✅ | | | ## Artifact Location(s) {% tabs %} {% tab title="🔌 Offline System" %} * File: `%SystemRoot%\system32\config\SYSTEM` * Key: `SYSTEM\{CURRENT_CONTROL_SET}\Services` {% endtab %} {% tab title="🔋 Live System" %} * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` {% endtab %} {% endtabs %} {% hint style="info" %} For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](/windows-forensics/artifacts-by-type/registry-artifacts/select.md) {% endhint %} ## Artifact Parsers * RegistryExplorer (Eric Zimmerman) ## Artifact Interpretation Within the `Services` key you will find subkeys, one for each service installed on an endpoint. The values within this key may be interpreted as follows: | Value | Interpretation | | ----------- | ------------------------------------------------------------------- | | DisplayName | The name of the service as it would appear in `services.msc` | | Description | The description of the service as it would appear in `services.msc` | | ImagePath | The path to the executable for this service | | Start | Start mode of the service | | Type | Type of service | The Last Write Timestamp for each service key represents the time at which the service was installed or modified. Additionally, for each service there may be an optional `Parameters` subkey. This key may contain any options that are passed to the executable when the service is started. Certain service installers such as NSSM (Non-Sucking Service Manager) will show the "true" executable for the service under this `Parameters` key. ### Interpreting the `Start` Value | Value | Interpretation | | ----- | --------------------------------------------------------------------------------------- | | 0 | **Boot** - Service is a device driver | | 1 | **System** - Service is a device driver | | 2 | **Automatic** - Service and all of its dependency services is started on boot by the OS | | 3 | **Manual** - Service is started manually by user interaction | | 4 | **Disabled** - Service is disabled and cannot be started automatically or manually | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.