mnerv
ed0c1983b3
Add Get-AutoRun.ps1, Get-ScheduledTasks.ps1, and Get-Services.ps1 for analyzing auto-start programs and persistence mechanisms. Get-AutoRun: Run/RunOnce keys, Startup folders, startup tasks Get-ScheduledTasks: Detailed task analysis with filters Get-Services: Service enumeration using WMI/CIM Uses Get-CimInstance for reliable service enumeration, avoiding Get-Service permission issues. Multiple filters and output modes. Update TODO.md.
112 lines
4.2 KiB
PowerShell
112 lines
4.2 KiB
PowerShell
# Get-Services.ps1
|
|
# Lists Windows services with details
|
|
|
|
param(
|
|
[ValidateSet("All", "Running", "Stopped", "Automatic", "Manual", "Disabled")]
|
|
[string]$Filter = "All",
|
|
[int]$MaxResults = 50,
|
|
[switch]$ShowAll
|
|
)
|
|
|
|
Write-Host "=== Windows Services ===" -ForegroundColor Cyan
|
|
|
|
if ($ShowAll) {
|
|
$MaxResults = [int]::MaxValue
|
|
}
|
|
|
|
$filterDesc = switch ($Filter) {
|
|
"Running" { "Running services" }
|
|
"Stopped" { "Stopped services" }
|
|
"Automatic" { "Services set to start automatically" }
|
|
"Manual" { "Manual start services" }
|
|
"Disabled" { "Disabled services" }
|
|
default { "All services" }
|
|
}
|
|
|
|
Write-Host "$filterDesc`n" -ForegroundColor Yellow
|
|
|
|
try {
|
|
# Use WMI/CIM for reliable service enumeration
|
|
$services = Get-CimInstance Win32_Service -ErrorAction Stop
|
|
|
|
# Apply filter
|
|
$filteredServices = switch ($Filter) {
|
|
"Running" { $services | Where-Object { $_.State -eq "Running" } }
|
|
"Stopped" { $services | Where-Object { $_.State -eq "Stopped" } }
|
|
"Automatic" { $services | Where-Object { $_.StartMode -eq "Auto" } }
|
|
"Manual" { $services | Where-Object { $_.StartMode -eq "Manual" } }
|
|
"Disabled" { $services | Where-Object { $_.StartMode -eq "Disabled" } }
|
|
default { $services }
|
|
}
|
|
|
|
if ($filteredServices) {
|
|
# Sort by state then name
|
|
$sortedServices = $filteredServices | Sort-Object State, DisplayName
|
|
|
|
Write-Host "Found: $($filteredServices.Count) services" -ForegroundColor Green
|
|
Write-Host "Showing: $(if ($ShowAll) { "All" } else { "Top $MaxResults" })`n" -ForegroundColor Gray
|
|
|
|
$count = 0
|
|
foreach ($service in ($sortedServices | Select-Object -First $MaxResults)) {
|
|
$count++
|
|
|
|
# Color based on status
|
|
$nameColor = switch ($service.State) {
|
|
"Running" { "Green" }
|
|
"Stopped" { "Gray" }
|
|
default { "Yellow" }
|
|
}
|
|
|
|
$statusSymbol = if ($service.State -eq "Running") { "●" } else { "○" }
|
|
|
|
Write-Host "$count. $statusSymbol $($service.DisplayName)" -ForegroundColor $nameColor
|
|
Write-Host " Name: $($service.Name)" -ForegroundColor Gray
|
|
Write-Host " Status: $($service.State) | Start Mode: $($service.StartMode)" -ForegroundColor Gray
|
|
|
|
if ($service.PathName) {
|
|
Write-Host " Path: $($service.PathName)" -ForegroundColor White
|
|
}
|
|
if ($service.Description) {
|
|
Write-Host " Description: $($service.Description)" -ForegroundColor Gray
|
|
}
|
|
if ($service.StartName) {
|
|
Write-Host " Run As: $($service.StartName)" -ForegroundColor Gray
|
|
}
|
|
if ($service.ProcessId -and $service.ProcessId -ne 0) {
|
|
Write-Host " PID: $($service.ProcessId)" -ForegroundColor Gray
|
|
}
|
|
|
|
Write-Host ""
|
|
}
|
|
|
|
if ($filteredServices.Count -gt $MaxResults -and -not $ShowAll) {
|
|
Write-Host "... and $($filteredServices.Count - $MaxResults) more (use -ShowAll to see all)" -ForegroundColor Gray
|
|
}
|
|
|
|
# Summary
|
|
Write-Host "`n=== Summary ===" -ForegroundColor Cyan
|
|
|
|
$stateGroups = $filteredServices | Group-Object State
|
|
Write-Host "By Status:" -ForegroundColor Yellow
|
|
foreach ($group in $stateGroups) {
|
|
Write-Host " $($group.Name): $($group.Count)" -ForegroundColor Green
|
|
}
|
|
|
|
$startModeGroups = $filteredServices | Group-Object StartMode
|
|
Write-Host "`nBy Start Mode:" -ForegroundColor Yellow
|
|
foreach ($group in $startModeGroups) {
|
|
Write-Host " $($group.Name): $($group.Count)" -ForegroundColor Green
|
|
}
|
|
|
|
} else {
|
|
Write-Host "No services found matching filter" -ForegroundColor Gray
|
|
}
|
|
|
|
} catch {
|
|
Write-Host "Error: $_" -ForegroundColor Red
|
|
}
|
|
|
|
Write-Host "`nFilters: -Filter All|Running|Stopped|Automatic|Manual|Disabled" -ForegroundColor Cyan
|
|
Write-Host "Use -ShowAll to see all services (default: top $MaxResults)" -ForegroundColor Cyan
|
|
Write-Host "`nForensic note: Check for suspicious service names, paths, or 'Run As' accounts" -ForegroundColor Cyan
|