HOWTO: Get a List of Windows Services on a Remote Computer


Windows services running on your endpoints without real need can potentially expose them for cyber attacks, introduce performance issues or cause other administrative headaches. Creating an inventory of running services across the entire network is the the first step in decreasing your attack surface or optimizing system performance. This guide explains how to do query a list of all services in bulk and filter results (such as as started/stopped, service name, description etc).



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_Service

2. Run wmic command-line interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command prompt type: /node:RemoteComputerName service

3. Run Powershell script:

   - thru WMI object: Get-WmiObject -Class Win32_Service -Computer RemoteComputerName

4. Select specific columns:

   - run: Get-WmiObject -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode

5. Sort results:

   - run: Get-WmiObject -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode | Sort-Object DisplayName

6. Filter results:

   - run: Get-WmiObject -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode | Where-Object -FilterScript {$_.DisplayName -like "Microsoft*"}

7. Save to CSV file:

   - run: Get-WmiObject -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Class Win32_Service -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Class Win32_Service -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

Step 2 - Type your question in plain English:

Step 3 - Set filters, if necessary:

Step 4 - See results from all endpoints in seconds:

Endpoint NameDisplayNameStartedStartMode
mac.widgets.localRemote Desktop ServicesTrueManual
fred.widgets.localWindows Defender FirewallFalseManual
ray.widgets.localWindows UpdateRunningManual

Do not have time to write scripts? Check out Action1 Endpoint Security Platform.
Ask questions in plain English such as "list of installed software" or "all running processes". Get answers instantly from live systems:


Other Relevant HOWTOs: