o-s

Windows Service Checks

August 14, 2010

User mode services:

Service name :Browser

Display Name :Computer Browser

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

The Computer Browser contains a denial of service attack where many spoofed entries can be added. There are many occasions when the browse list is requested from the maintainer or backup browser eg. when a user opens up their “Network Neighbourhood” or when the Server Manger is opended and the whole list is sent across the network. If enough entries are added to the browse list then it can grow to hundreds of megabytes causing machines to hang and utilize available bandwidth on the network cable. If this poses a risk on your network then this service should be disabled.

Service name :cisvc

Display Name :Indexing Service

Binary Path :E:WINNTSystem32cisvc.exe

Service is running in the security context of LocalSystem

The Index Server service is running. Ensure that only files you want indexed are indexed and no sensitive files are otherwise users may be able to access them.

For example the Index Server Service indexs ASP pages and it will be possible for remote users to gain access to the source of the pages.

Service name :Dhcp

Display Name :DHCP Client

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

Service name :dmserver

Display Name :Logical Disk Manager

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

Service name :Dnscache

Display Name :DNS Client

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

Service name :Eventlog

Display Name :Event Log

Binary Path :E:WINNTsystem32services.exe

Service is running in the security context of LocalSystem

Service name :EventSystem

Display Name :COM+ Event System

Binary Path :E:WINNTSystem32svchost.exe -k netsvcs

Service is running in the security context of LocalSystem

Service name :IISADMIN

Display Name :IIS Admin Service

Binary Path :E:WINNTSystem32inetsrvinetinfo.exe

Service is running in the security context of LocalSystem

Service name :lanmanserver

Display Name :Server

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

Service name :lanmanworkstation

Display Name :Workstation

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

Service name :LmHosts

Display Name :TCP/IP NetBIOS Helper Service

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

Service name :Messenger

Display Name :Messenger

Binary Path :E:WINNTSystem32services.exe

Service is running in the security context of LocalSystem

The Messenger service allows a user to send a message across the network that will pop up on the target’s computer screen. This can be abused in social engineering attacks eg. one user trying to get another to change their password. Added to this the name of user currently logged on to the system is registered in the NetBIOS name table which can be retrieved remotely by issuing an nbtstat -A x.x.x.x command. If this presents too much of a risk the Messenger service should be disabled.

Service name :Netman

Display Name :Network Connections

Binary Path :E:WINNTSystem32svchost.exe -k netsvcs

Service is running in the security context of LocalSystem

Service name :NtmsSvc

Display Name :Removable Storage

Binary Path :E:WINNTSystem32svchost.exe -k netsvcs

Service is running in the security context of LocalSystem

Service name :PlugPlay

Display Name :Plug and Play

Binary Path :E:WINNTsystem32services.exe

Service is running in the security context of LocalSystem

Service name :PolicyAgent

Display Name :IPSEC Policy Agent

Binary Path :E:WINNTSystem32lsass.exe

Service is running in the security context of LocalSystem

Service name :ProtectedStorage

Display Name :Protected Storage

Binary Path :E:WINNTsystem32services.exe

Service is running in the security context of LocalSystem

Service name :RasMan

Display Name :Remote Access Connection Manager

Binary Path :E:WINNTSystem32svchost.exe -k netsvcs

Service is running in the security context of LocalSystem

The Remote Access Service allows users to dial in to the server. Ensure that only those users that require remote access are given the RAS Dial in permission.

Service name :RemoteRegistry

Display Name :Remote Registry Service

Binary Path :E:WINNTsystem32regsvc.exe

Service is running in the security context of LocalSystem

Service name :RpcSs

Display Name :Remote Procedure Call (RPC)

Binary Path :E:WINNTsystem32svchost -k rpcss

Service is running in the security context of LocalSystem

Service name :SamSs

Display Name :Security Accounts Manager

Binary Path :E:WINNTsystem32lsass.exe

Service is running in the security context of LocalSystem

Service name :Schedule

Display Name :Task Scheduler

Binary Path :E:WINNTsystem32MSTask.exe

Service is running in the security context of LocalSystem

Service name :seclogon

Display Name :RunAs Service

Binary Path :E:WINNTsystem32services.exe

Service is running in the security context of LocalSystem

Service name :SENS

Display Name :System Event Notification

Binary Path :E:WINNTsystem32svchost.exe -k netsvcs

Service is running in the security context of LocalSystem

Service name :Spooler

Display Name :Print Spooler

Binary Path :E:WINNTsystem32spoolsv.exe

Service is running in the security context of LocalSystem

Service name :TapiSrv

Display Name :Telephony

Binary Path :E:WINNTSystem32svchost.exe -k netsvcs

Service is running in the security context of LocalSystem

Service name :TrkWks

Display Name :Distributed Link Tracking Client

Binary Path :E:WINNTsystem32services.exe

Service is running in the security context of LocalSystem

Service name :W3SVC

Display Name :World Wide Web Publishing Service

Binary Path :E:WINNTSystem32inetsrvinetinfo.exe

Service is running in the security context of LocalSystem

Service name :WinMgmt

Display Name :Windows Management Instrumentation

Binary Path :E:WINNTSystem32WBEMWinMgmt.exe

Service is running in the security context of LocalSystem

Service name :Wmi

Display Name :Windows Management Instrumentation Driver Extensions

Binary Path :E:WINNTsystem32Services.exe

Service is running in the security context of LocalSystem

Driver services:

Service name :ACPI

Display Name :Microsoft ACPI Driver

Binary Path: Syst
emRootSystem32DRIVERSACPI.sys

Service name :AFD

Display Name :AFD Networking Support Environment

Binary Path: SystemRootSystem32driversafd.sys

Service name :atapi

Display Name :Standard IDE/ESDI Hard Disk Controller

Binary Path: SystemRootSystem32DRIVERSatapi.sys

Service name :Beep

Display Name :Beep

Binary Path:

Service name :Cdrom

Display Name :CD-ROM Driver

Binary Path: System32DRIVERScdrom.sys

Service name :Disk

Display Name :Disk Driver

Binary Path: SystemRootSystem32DRIVERSdisk.sys

Service name :Diskperf

Display Name :Diskperf

Binary Path:

Service name :dmio

Display Name :Logical Disk Manager Driver

Binary Path: SystemRootSystem32driversdmio.sys

Service name :dmload

Display Name :dmload

Binary Path: SystemRootSystem32driversdmload.sys

Service name :Fips

Display Name :Fips

Binary Path:

Service name :Ftdisk

Display Name :Volume Manager Driver

Binary Path: SystemRootSystem32DRIVERSftdisk.sys

Service name :i8042prt

Display Name :i8042 Keyboard and PS/2 Mouse Port Driver

Binary Path: System32DRIVERSi8042prt.sys

Service name :IPSEC

Display Name :IPSEC driver

Binary Path: System32DRIVERSipsec.sys

Service name :isapnp

Display Name :PnP ISA/EISA Bus Driver

Binary Path: SystemRootSystem32DRIVERSisapnp.sys

Service name :Kbdclass

Display Name :Keyboard Class Driver

Binary Path: System32DRIVERSkbdclass.sys

Service name :KSecDD

Display Name :KSecDD

Binary Path:

Service name :mnmdd

Display Name :mnmdd

Binary Path:

Service name :Mouclass

Display Name :Mouse Class Driver

Binary Path: System32DRIVERSmouclass.sys

Service name :MountMgr

Display Name :MountMgr

Binary Path:

Service name :MRxSmb

Display Name :MRxSmb

Binary Path: System32DRIVERSmrxsmb.sys

Service name :Msfs

Display Name :Msfs

Binary Path:

Service name :Mup

Display Name :Mup

Binary Path:

Service name :NDIS

Display Name :NDIS System Driver

Binary Path:

Service name :NetBIOS

Display Name :NetBIOS Interface

Binary Path: System32DRIVERSnetbios.sys

Service name :NetBT

Display Name :NetBios over Tcpip

Binary Path: System32DRIVERSnetbt.sys

Service name :Npfs

Display Name :Npfs

Binary Path:

Service name :Null

Display Name :Null

Binary Path:

Service name :Parport

Display Name :Parallel port driver

Binary Path: System32DRIVERSparport.sys

Service name :PartMgr

Display Name :PartMgr

Binary Path:

Service name :ParVdm

Display Name :ParVdm

Binary Path:

Service name :PCI

Display Name :PCI Bus Driver

Binary Path: SystemRootSystem32DRIVERSpci.sys

Service name :PCIIde

Display Name :PCIIde

Binary Path: SystemRootSystem32DRIVERSpciide.sys

Service name :RasAcd

Display Name :Remote Access Auto Connection Driver

Binary Path: System32DRIVERSrasacd.sys

Service name :Rdbss

Display Name :Rdbss

Binary Path: System32DRIVERSrdbss.sys

Service name :Serial

Display Name :Serial port driver

Binary Path: System32DRIVERSserial.sys

Service name :Tcpip

Display Name :TCP/IP Protocol Driver

Binary Path: System32DRIVERStcpip.sys

Service name :VgaSave

Display Name :VgaSave

Binary Path: SystemRootSystem32driversvga.sys

There are 30 user mode services running and 37 driver services running. Total = 67

https://www.bestitdocuments.com/Samples