Skip to main content

Service Auditing - Beginner

Author(s): Anywheres

Last Updated: 08-05-2025

Recommended Prerequisites (click to expand)
  • (None)

What is a Service?

A Windows service is a long-running program that runs in the background. If you have experience with Linux, you can think of services as the Windows equivalent of daemons. Services typically run without a GUI or any user interaction. As such, services are used primarily for tasks like handling system operations, providing network services, monitoring resources, or running server applications.

Why Do We Need To Audit Services?

Although services are required for a system to run correctly and effectively, they can also be misconfigured, making a system vulnerable. In addition, there are services which may not necessarily be malicious, yet are also not required and should therefore be disabled in order to reduce the attack surface (the potentially attackable components) of a system. Other services, such as Windows Update or Event Log need to be enabled at all times to maintain system security and records. By making sure that only necessary services are running and that those services are properly configured, we shut down possible attack paths for people attempting to breach the system.

To get a sense of what services should be disabled if not explicitly required, it is a good idea to check out sections of STIGs or benchmarks which focus on services. One such benchmark is located in the References & Further Reading section of this article

How Do Services Work?

Since the point of services is to run without user interaction, they have to be started and maintained by the system without user interaction as well. In Windows, that responsibility falls on the Service Control Manager (SCM). The SCM's job is to:

  • Start and stop services at the appropriate time
  • Manage service dependencies
  • Maintain service configurations
  • Handle and respond to service control requests
  • Restart services in case of failure/error

The manner in which a service starts can be configured by the user. Services have four main startup types in Windows:

  • Automatic - The service starts automatically and is run as soon as possible when the system starts up.
  • Automatic (Delayed Start) - The service starts automatically but starts a couple minutes after the initial system startup, in a sort of 'second round'. The purpose of this is to reduce the competition for system resources when the system is starting up initially
  • Manual - The service doesn't start automatically, but can be started up if/when it is needed
  • Disabled - The service is not allowed to start

In addition, for any of these states other than Disabled it is also possible to see (Trigger Start) by the name. In this case, the service will function identically to the above descriptions, except that it can also be started by an event known as a service trigger. The specifics of how this works are not important for now, but it's good to know that this exists and is normal behavior.

If you would like to learn the specifics of service triggers, check out the MS Docs: https://learn.microsoft.com/en-us/windows/win32/services/service-trigger-events

When a service runs, it also "logs on as" a certain user-- it runs with the same privileges as that user, as though that user had started the program themself. For example, if a service was running as the user testuser, then the service would be able to access any resources that testuser could access. Typically, services log on as one of three users: LocalService, NetworkService, or LocalSystem. Of these three, the LocalSystem account is by far the most dangerous as it has near-complete control of the system. If an attacker managed to control a service running as LocalSystem or register their own unauthorized service with LocalSystem, they too would have this near-complete control of the system. As such, the configuration of which account services run with must be carefully monitored and audited to ensure no unauthorized or insecurely configured services have access to more privileges than they need, especially for services running as LocalSystem.

Configuring Services

Now that you have learned the basics of how services work, you need to learn how to actually configure them. As is the case with most things in Windows, there are a few ways to configure services. The main ones are as follows. Choose one of services listed in the benchmarkFor each method, a practice image or testing VM to get hands-on experience using it.

services.msc

services.msc is an application which allows you to configure services using a GUI. To open it, search for "Services" or "services.msc" in the Windows search bar. Once the application opens, you will be able to see a list of all of the services registered on the system, as well as information regarding their current state, their startup type, and the account the service runs as. These services can be sorted by clicking on the column names at the top of the list. To get more information about a specific service, locate it in the list and either double-click on it or right click it and select "Properties". From this menu you can see more specific information such as the path to the service executable, dependencies of the service, or dependents of the service. You can also configure startup type, manually start or stop the service, and choose actions to be taken if the service fails.

sc.exe

sc.exe is a command line tool for service configuration and querying. sc.exe can be invoked from the command prompt (cmd.exe) as either sc.exe or simply sc. sc.exe can be used from PowerShell as well, but it should be noted that you must use the full name sc.exe since just sc serves as an alias for the cmdlet Set-Content in PowerShell. sc has options for every capability mentioned above in the services.msc section, plus additional features such as displaying the security descriptor of the service object. A full explanation of the features of sc is beyond the scope of this article; however, a link to the documentation for the command will be in the References & Further Reading section. A shortened guide to the command's usage can be seen in the terminal by entering just sc with no additional arguments.

Powershell Cmdlets

Powershell has cmdlets which are used to configure services. These cmdlets follow the text pattern *-Service. To get a list of all of these configuration commands from within PowerShell, you can run the command Get-Command *-Service. As with sc, a full explanation of these cmdlets is out of the scope of this article, but the documentation for these cmdlets will once again be located in References & Further Reading. As is the case with any other PowerShell cmdlet, usage information can be obtained from the terminal by entering Get-Help [command].

References & Further Reading