# Get-Services.ps1 # Lists Windows services with details param( [ValidateSet("All", "Running", "Stopped", "Automatic", "Manual", "Disabled")] [string]$Filter = "All", [int]$MaxResults = 50, [switch]$ShowAll ) Write-Host "=== Windows Services ===" -ForegroundColor Cyan if ($ShowAll) { $MaxResults = [int]::MaxValue } $filterDesc = switch ($Filter) { "Running" { "Running services" } "Stopped" { "Stopped services" } "Automatic" { "Services set to start automatically" } "Manual" { "Manual start services" } "Disabled" { "Disabled services" } default { "All services" } } Write-Host "$filterDesc`n" -ForegroundColor Yellow try { # Use WMI/CIM for reliable service enumeration $services = Get-CimInstance Win32_Service -ErrorAction Stop # Apply filter $filteredServices = switch ($Filter) { "Running" { $services | Where-Object { $_.State -eq "Running" } } "Stopped" { $services | Where-Object { $_.State -eq "Stopped" } } "Automatic" { $services | Where-Object { $_.StartMode -eq "Auto" } } "Manual" { $services | Where-Object { $_.StartMode -eq "Manual" } } "Disabled" { $services | Where-Object { $_.StartMode -eq "Disabled" } } default { $services } } if ($filteredServices) { # Sort by state then name $sortedServices = $filteredServices | Sort-Object State, DisplayName Write-Host "Found: $($filteredServices.Count) services" -ForegroundColor Green Write-Host "Showing: $(if ($ShowAll) { "All" } else { "Top $MaxResults" })`n" -ForegroundColor Gray $count = 0 foreach ($service in ($sortedServices | Select-Object -First $MaxResults)) { $count++ # Color based on status $nameColor = switch ($service.State) { "Running" { "Green" } "Stopped" { "Gray" } default { "Yellow" } } $statusSymbol = if ($service.State -eq "Running") { "●" } else { "○" } Write-Host "$count. $statusSymbol $($service.DisplayName)" -ForegroundColor $nameColor Write-Host " Name: $($service.Name)" -ForegroundColor Gray Write-Host " Status: $($service.State) | Start Mode: $($service.StartMode)" -ForegroundColor Gray if ($service.PathName) { Write-Host " Path: $($service.PathName)" -ForegroundColor White } if ($service.Description) { Write-Host " Description: $($service.Description)" -ForegroundColor Gray } if ($service.StartName) { Write-Host " Run As: $($service.StartName)" -ForegroundColor Gray } if ($service.ProcessId -and $service.ProcessId -ne 0) { Write-Host " PID: $($service.ProcessId)" -ForegroundColor Gray } Write-Host "" } if ($filteredServices.Count -gt $MaxResults -and -not $ShowAll) { Write-Host "... and $($filteredServices.Count - $MaxResults) more (use -ShowAll to see all)" -ForegroundColor Gray } # Summary Write-Host "`n=== Summary ===" -ForegroundColor Cyan $stateGroups = $filteredServices | Group-Object State Write-Host "By Status:" -ForegroundColor Yellow foreach ($group in $stateGroups) { Write-Host " $($group.Name): $($group.Count)" -ForegroundColor Green } $startModeGroups = $filteredServices | Group-Object StartMode Write-Host "`nBy Start Mode:" -ForegroundColor Yellow foreach ($group in $startModeGroups) { Write-Host " $($group.Name): $($group.Count)" -ForegroundColor Green } } else { Write-Host "No services found matching filter" -ForegroundColor Gray } } catch { Write-Host "Error: $_" -ForegroundColor Red } Write-Host "`nFilters: -Filter All|Running|Stopped|Automatic|Manual|Disabled" -ForegroundColor Cyan Write-Host "Use -ShowAll to see all services (default: top $MaxResults)" -ForegroundColor Cyan Write-Host "`nForensic note: Check for suspicious service names, paths, or 'Run As' accounts" -ForegroundColor Cyan