Add startup and persistence analysis tools

Add Get-AutoRun.ps1, Get-ScheduledTasks.ps1, and Get-Services.ps1 for analyzing auto-start programs and persistence mechanisms. Get-AutoRun: Run/RunOnce keys, Startup folders, startup tasks Get-ScheduledTasks: Detailed task analysis with filters Get-Services: Service enumeration using WMI/CIM Uses Get-CimInstance for reliable service enumeration, avoiding Get-Service permission issues. Multiple filters and output modes. Update TODO.md.
2026-02-03 22:39:35 +01:00
parent ce250b9725
commit ed0c1983b3
4 changed files with 409 additions and 4 deletions
--- a/windows/Get-Services.ps1
+++ b/windows/Get-Services.ps1
@@ -0,0 +1,111 @@
+# Get-Services.ps1
+# Lists Windows services with details
+
+param(
+    [ValidateSet("All", "Running", "Stopped", "Automatic", "Manual", "Disabled")]
+    [string]$Filter = "All",
+    [int]$MaxResults = 50,
+    [switch]$ShowAll
+)
+
+Write-Host "=== Windows Services ===" -ForegroundColor Cyan
+
+if ($ShowAll) {
+    $MaxResults = [int]::MaxValue
+}
+
+$filterDesc = switch ($Filter) {
+    "Running" { "Running services" }
+    "Stopped" { "Stopped services" }
+    "Automatic" { "Services set to start automatically" }
+    "Manual" { "Manual start services" }
+    "Disabled" { "Disabled services" }
+    default { "All services" }
+}
+
+Write-Host "$filterDesc`n" -ForegroundColor Yellow
+
+try {
+    # Use WMI/CIM for reliable service enumeration
+    $services = Get-CimInstance Win32_Service -ErrorAction Stop
+
+    # Apply filter
+    $filteredServices = switch ($Filter) {
+        "Running" { $services | Where-Object { $_.State -eq "Running" } }
+        "Stopped" { $services | Where-Object { $_.State -eq "Stopped" } }
+        "Automatic" { $services | Where-Object { $_.StartMode -eq "Auto" } }
+        "Manual" { $services | Where-Object { $_.StartMode -eq "Manual" } }
+        "Disabled" { $services | Where-Object { $_.StartMode -eq "Disabled" } }
+        default { $services }
+    }
+
+    if ($filteredServices) {
+        # Sort by state then name
+        $sortedServices = $filteredServices | Sort-Object State, DisplayName
+
+        Write-Host "Found: $($filteredServices.Count) services" -ForegroundColor Green
+        Write-Host "Showing: $(if ($ShowAll) { "All" } else { "Top $MaxResults" })`n" -ForegroundColor Gray
+
+        $count = 0
+        foreach ($service in ($sortedServices | Select-Object -First $MaxResults)) {
+            $count++
+
+            # Color based on status
+            $nameColor = switch ($service.State) {
+                "Running" { "Green" }
+                "Stopped" { "Gray" }
+                default { "Yellow" }
+            }
+
+            $statusSymbol = if ($service.State -eq "Running") { "●" } else { "○" }
+
+            Write-Host "$count. $statusSymbol $($service.DisplayName)" -ForegroundColor $nameColor
+            Write-Host "   Name: $($service.Name)" -ForegroundColor Gray
+            Write-Host "   Status: $($service.State) | Start Mode: $($service.StartMode)" -ForegroundColor Gray
+
+            if ($service.PathName) {
+                Write-Host "   Path: $($service.PathName)" -ForegroundColor White
+            }
+            if ($service.Description) {
+                Write-Host "   Description: $($service.Description)" -ForegroundColor Gray
+            }
+            if ($service.StartName) {
+                Write-Host "   Run As: $($service.StartName)" -ForegroundColor Gray
+            }
+            if ($service.ProcessId -and $service.ProcessId -ne 0) {
+                Write-Host "   PID: $($service.ProcessId)" -ForegroundColor Gray
+            }
+
+            Write-Host ""
+        }
+
+        if ($filteredServices.Count -gt $MaxResults -and -not $ShowAll) {
+            Write-Host "... and $($filteredServices.Count - $MaxResults) more (use -ShowAll to see all)" -ForegroundColor Gray
+        }
+
+        # Summary
+        Write-Host "`n=== Summary ===" -ForegroundColor Cyan
+
+        $stateGroups = $filteredServices | Group-Object State
+        Write-Host "By Status:" -ForegroundColor Yellow
+        foreach ($group in $stateGroups) {
+            Write-Host "  $($group.Name): $($group.Count)" -ForegroundColor Green
+        }
+
+        $startModeGroups = $filteredServices | Group-Object StartMode
+        Write-Host "`nBy Start Mode:" -ForegroundColor Yellow
+        foreach ($group in $startModeGroups) {
+            Write-Host "  $($group.Name): $($group.Count)" -ForegroundColor Green
+        }
+
+    } else {
+        Write-Host "No services found matching filter" -ForegroundColor Gray
+    }
+
+} catch {
+    Write-Host "Error: $_" -ForegroundColor Red
+}
+
+Write-Host "`nFilters: -Filter All|Running|Stopped|Automatic|Manual|Disabled" -ForegroundColor Cyan
+Write-Host "Use -ShowAll to see all services (default: top $MaxResults)" -ForegroundColor Cyan
+Write-Host "`nForensic note: Check for suspicious service names, paths, or 'Run As' accounts" -ForegroundColor Cyan