Brandon

PropertySource - Windows Services

Recommended Posts

WARNING - This propertysource pulls a list of all Windows services installed.  This does not filter the services to only show running or auto-starting services.  Useful for auditing, auto-grouping, and inventory.  Example below

Displays the a list of all installed Windows Services.

 

auto.winservices [AeLookupSvc, ALG, AppIDSvc, Appinfo, AppMgmt, aspnet_state, AudioEndpointBuilder, AudioSrv, BESClient, BESClientHelper, BFE, BITS, Browser, CertPropSvc, clr_optimization_v2.0.50727_32, clr_optimization_v2.0.50727_64, clr_optimization_v4.0.30319_32, clr_optimization_v4.0.30319_64, COMSysApp, CryptSvc, DcomLaunch, defragsvc, Dhcp, DiagTrack, Dnscache, dot3svc, DPS, EapHost, EFS, eventlog, EventSystem, FCRegSvc, fdPHost, FDResPub, FontCache, FontCache3.0.0.0, gpsvc, hidserv, hkmsvc, idsvc, IEEtwCollectorService, IKEEXT, IPBusEnum, iphlpsvc, KeyIso, KtmRm, LanmanServer, LanmanWorkstation, lltdsvc, lmhosts, MMCSS, MpsSvc, MSDTC, MSiSCSI, msiserver, MSSQL$SVSSDB, MSSQLFDLauncher$SVSSDB, MSSQLServerADHelper100, napagent, Netlogon, Netman, NetMsmqActivator, NetPipeActivator, netprofm, NetTcpActivator, NetTcpPortSharing, NlaSvc, nsi, PerfHost, pla, PlugPlay, PolicyAgent, Power, ProfSvc, ProtectedStorage, RasAuto, RasMan, RemoteAccess, RemoteRegistry, RpcEptMapper, RpcLocator, RpcSs, RSoPProv, sacsvr, SamSs, SCardSvr, Schedule, SCPolicySvc, seclogon, SENS, SessionEnv, SharedAccess, ShellHWDetection, SNMPTRAP, Spooler, sppsvc, sppuinotify, SQLAgent$SVSSDB, SQLBrowser, SQLWriter, SSDPSRV, SstpSvc, swprv, TapiSrv, TermService, THREADORDER, TrkWks, TrustedInstaller, UI0Detect, UmRdpService, upnphost, UxSms, VaultSvc, vds, VGAuthService, VMTools, vmvss, VMware Physical Disk Helper Service, VSS, W32Time, WcsPlugInService, WdiServiceHost, WdiSystemHost, Wecsvc, wercplsupport, WerSvc, WinHttpAutoProxySvc, Winmgmt, WinRM, wmiApSrv, WPDBusEnum, WRSVC, wuauserv, wudfsvc]

 

Z4LHDZ

  • Upvote 3

Share this post


Link to post
Share on other sites

This is really useful Brandon, thanks.  I was only interested in the Running state services and I wanted the list sorted on the service's caption in the MSC console, so I modified the code slightly:

import com.santaba.agent.groovyapi.win32.WMI;

def hostname = hostProps.get("system.hostname");

def wmiQuery = " SELECT Name, Caption, State, Status FROM Win32_Service WHERE State='RUNNING' ";

def session = WMI.open(hostname);

def result = session.queryAll("CIMv2", wmiQuery, 15);

def runningServicesList = result.CAPTION.sort();

def winServicesRunning = runningServicesList.toString().replaceAll(",", "  |  ");

println "WinServicesRunning=" + winServicesRunning;

  • Upvote 1

Share this post


Link to post
Share on other sites

This will be something I will be implementing across the board, but it won't be listing all services.  Instead, the output will only display relevant services to automatically detect the type of server.  For example - using an if statement to decide that the server must be a Domain Controller because it is running Active Directory Domain Services, Active Directory Web Services, and DFS Replication.  The output would then be something like "Server.Role=Domain Controller" or "Server.Role=[Application] Web Server".

  • Upvote 1

Share this post


Link to post
Share on other sites

We're working on building dynamic groupings based on AppliesTo functions that are mentioning this same thing. Server.Role sounds interesting for grouping as well, however this would require a different property source for every type of role, using the generic "services" as a appliesTo function, it allows to just create those on demand instead of specific role based ones. This might work to do just for specific services you know will exist, then use the services property source to do the generic types of roles. 

  • Upvote 1

Share this post


Link to post
Share on other sites

I agree - it definitely adds a lot of flexibility for creating groups having all of the services listed as a property of the device.  The only problem I see is that the list can be extensive.  There might even be a character limit for the field, so for some servers, it might not actually populate the entire list.  Mosh's idea to only include running services is a great idea.  I had thought of that when I wrote the script originally, but decided against it in case services happened to be stopped for whatever reason (such as patching), right as the collector was performing an active discovery sweep.  My fear is that it might override the property and populate an incomplete list.

  • Upvote 2

Share this post


Link to post
Share on other sites
On 16/06/2017 at 2:21 PM, Brandon said:

The only problem I see is that the list can be extensive.  There might even be a character limit for the field, so for some servers, it might not actually populate the entire list.

 

@Brandon this is correct and the list can be truncated. The property source character limit is 2,000 currently.

I created something very very similar on my portal a while back, and here's the proof the list can get truncated:

597705bc55e83_ScreenShot2017-07-25at09_46_19.thumb.png.68f4f509c3e0011bc92f8f5a314d0870.png

Note, on this particular device there is a "WalletService" service, and of course Windows Firewall.

Here's what the end of the property source (that lists services alphabetically) looks like:

597705bdf1ad2_ScreenShot2017-07-25at09_46_48.png.b2118389b5a72fe9c0114878d1803de7.png

Note the property source value ends "WalletS" - a truncation of "WalletService" - and Windows Firewall is absent.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.