Services are applications that run in the background during system boot or when certain events occur and provide the basic functionality of the OS. As a rule, computer services do not have a graphical interface, so their work is not noticeable to the user for the most part. Therefore, there is often a problem to find out a list of Windows services on remote domain computer.
Just about 80 various services are installed in the system with a standard Windows installation. And despite the fact that not all of them are launched automatically, the number of workers by default still seems too high, considering that a significant part of the total number of vulnerabilities ever discovered in this OS falls on system services. In addition, at home, many default services simply do not need to. For these and other reasons related to the optimization of the computer, it is recommended that you disable all services that you do not use.
Windows services running on your endpoints without real need can potentially expose them for cyberattacks, introduce performance issues or cause other administrative headaches. Creating an inventory of running services across the entire network is the first step in decreasing your attack surface or optimizing system performance. This guide explains how to do query a list of Windows services in bulk and filter results (such as started/stopped, service name, description etc).
Manually:
1. Execute WMI Query in ROOT\CIMV2 Namespace:
Launch WMI Explorer or any other tool which can run WMI queries.
Run WMI query: SELECT * FROM Win32_Service
2. Open WMIC Command-line Interface:
Press WIN+R
Type “wmic”, press Enter
In wmic command line tool type: /node:RemoteComputerName service
3. Run This Simple Windows Powershell Script:
Thru WMI object: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName
4. Use Following Code to Select Specific Columns:
Execute: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, PSComputerName
5. Sort the Results Using the Line Below:
Invoke command: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, PSComputerName | Sort-Object DisplayName
6. The Next Code Helps to Filter Results:
Use it: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, PSComputerName | Where-Object -FilterScript {$_.DisplayName -like “Microsoft*”}
7. Save Results to CSV File:
Run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, PSComputerName | Export-CSV “c:\file.csv” -Append -NoTypeInformation
8. The Next Step Is to Query Multiple Computers:
Computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer $_}
Computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like ‘Windows 10*’} | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer $_.Name}
