Services: where is the EXE located?

Find all Service that are not running under \System32 or the \Windows directory. For you environment you might need to add a few more exclusion for service such as AV, Exchange, MOM, etc. However be careful not to exclude too much as you may miss a Trojan or Virus hiding as a service within one of those directories.

 

SELECT          v_GS_COMPUTER_SYSTEM.Name0 AS ‘PC Name’,

            v_GS_COMPUTER_SYSTEM.UserName0 AS ‘User ID’,

            v_GS_SERVICE.DisplayName0 AS ‘Service Name’,

            v_GS_SERVICE.StartMode0 AS ‘Start Up’,

            v_GS_SERVICE.StartName0 AS ‘Account’,

            v_GS_SERVICE.State0 AS ‘State’,

            v_GS_SERVICE.PathName0 as ‘Command line’

FROM v_GS_COMPUTER_SYSTEM v_GS_COMPUTER_SYSTEM,

            v_GS_SERVICE v_GS_SERVICE

WHERE           v_GS_SERVICE.ResourceID = v_GS_COMPUTER_SYSTEM.ResourceID

            AND ((v_GS_SERVICE.PathName0 Not Like ‘%\System32%’) and (v_GS_SERVICE.PathName0 Not Like ‘%\Windows%’))

Leave a Reply

Your email address will not be published. Required fields are marked *