Forked from RomelSan/ListPrivilegedServices.ps1
Last active
September 8, 2023 23:39
-
-
Save roelds/402d4f1ae400498d8f06592f9484f353 to your computer and use it in GitHub Desktop.
List privileged services that don't come with Windows 11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # updated for Win11 | |
| # List privileged services that don't come with Windows 11 | |
| # Exclusion List for Win11 built in | |
| $exclusion = @('ALG', 'AppVClient', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'edgeupdate', 'edgeupdatem', 'gcs', 'MicrosoftEdgeElevationService', 'MSDTC', | |
| 'msiserver', 'NetTcpPortSharing', 'perceptionsimulation', 'PerfHost', 'RpcLocator', 'SecurityHealthService', | |
| 'Sense', 'SensorDataService', 'SgrmBroker', 'SNMPTrap', 'spectrum', 'Spooler', 'sppsvc', 'TieringEngineService', | |
| 'TrustedInstaller', 'UevAgentService', 'uhssvc', 'vds', 'VSS', 'wbengine', 'WdNisSvc', 'WinDefend', 'wmiApSrv', | |
| 'WMPNetworkSvc', 'WSearch', 'WslService') | |
| # Get Service List with Exclusions | |
| gcim win32_service | ? {$exclusion -notcontains $_.Name -and (($_.StartName -eq 'LocalSystem' -or $_.StartName -Like 'NT AUTHORITY*' -or $_.StartName -Like '*Administrator') -and $_.PathName -ne 'C:\Windows\System32\lsass.exe' -and $_.PathName -NotLike 'C:\Windows\System32\svchost.exe -k*')} | select Name,DesktopInteract,ErrorControl,StartMode | fl | |
| # display almost all | |
| gcim win32_service | ? {($_.StartName -eq 'LocalSystem' -or $_.StartName -Like 'NT AUTHORITY*' -or $_.StartName -Like '*Administrator') -and $_.PathName -ne 'C:\Windows\System32\lsass.exe' -and $_.PathName -NotLike 'C:\Windows\System32\svchost.exe -k*'} | select Name,DesktopInteract,ErrorControl,StartMode | fl | |
| # do more : verify important properties of privileged services that come with Win11 | |
| sc.exe qsidtype name | |
| sc.exe qprivs name | |
| sc.exe qprotection name | |
| sc.exe sdshow name | |
| sc.exe qfailure name | |
| gp hklm:\SYSTEM\CurrentControlSet\Services\*\Parameters | ? { $_.servicedll } | select psparentpath, servicedll | fl | |
| gp hklm:\SYSTEM\CurrentControlSet\Services\* | ? { $_.imagepath } | select description, displayname | fl | |
| # show file version info | |
| gci imagepath | % versioninfo | select * | fl | |
| gci servicedll | % versioninfo | select * | fl | |
| Get-AuthenticodeSignature imagepath -Verbose | select * | |
| Get-AuthenticodeSignature servicedll -Verbose | select * | |
| # verify if symbolic link | |
| gci | ? Target | select LinkType, FullName, Target | |
| Get-Service name | select ServiceType | |
| Get-Acl imagepath -Verbose | select * | fl | |
| Get-Acl servicedll -Verbose | select * | fl | |
| Get-Acl hklm:\SYSTEM\CurrentControlSet\Services\name -Verbose | select * | fl | |
| Get-Acl hklm:\SYSTEM\CurrentControlSet\Services\name\Parameters -Verbose | select * | fl | |
| Get-Acl hklm:\SYSTEM\CurrentControlSet\Services\name\Security -Verbose | select * | fl | |
| # verify blake3 hash | |
| b3sum_windows_x64_bin.exe imagepath | |
| b3sum_windows_x64_bin.exe servicedll |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment