Sunday, September 14, 2008

Retrieving Remote Services with PowerShell

In the few weeks that I have been using PowerShell I've been really keen to see how I could use it to help with the security parts of my job. In the past I have used scripts and tools from Harlan Carvey's book "Windows Forensics and Incident Recovery" when I have had to look at a PC that has been comprised. Now I'm beginning to grasp PowerShell I am keen to write my own scripts to investigate compromised PC's and retrieve volatile and non-volatile information.

In this post I will simply detail how to retrieve data about services from a remote PC using WMI and PowerShell.


The information i'm interested in regarding Windows services is really what services are running, the state of them and the executable involved. Below is the command I would use to output that information to the screen.

gwmi win32_service -ComputerName . | sort StartMode | ft SystemName,DisplayName,StartMode,State,PathName

Unfortunately The whole output doesn't fit. So I would use this next Command to export the results to a CSV file for closer analysis.

gwmi win32_service -ComputerName . | sort StartMode | select SystemName,DisplayName,StartMode,State,PathName | export-csv -path d:\runningServices.csv

Now in the CSV i can see all of the output including the full path of the executable.

Obviously, in both examples the . after -ComputerName can be substituted fora remote computer that you have permission to query.

1 comment:

kwaczek said...

Your lines are very clear and working 100%. Nice