Service executable path

(imported topic written by jeko1791)

Hi,

I’m trying to find a way to identify the executable path of each service in Windows. The registry was the first spot I thought of, but not all services under the registry show “ImagePath” of other values that would tell me the executable path that runs that service. Only definitive way I’ve found is using the services.msc gui. Ar there any inspectors that can see what services.msc is displaying, or do you know where that information is coming from so I can create a property to display service executable paths?

Thanks,

(imported comment written by lmpymilk91)

q:(service names of it, image paths of it) of services

This one would give you just the running services on the machine and with the expanded environment strings.

q:(service names of it, expand environment strings of image paths of it) of services whose (state of it is “Running”)

(imported comment written by jeko1791)

Hi lmpymilk, thanks for the reply.

I had tried something similar, but I’m noticing that not all services are represented with that relevance statement. We have ISS Proventia server sensors, and the IBM Proventia service is nowhere to be found in that list, but it shows a C:\Program Files\ISS\Proventia\phService.exe path in services.msc.

Classic standoff. Being a HIDS agent, it wants to remain hidden, but I want to know if it’s there.

Any ideas?

(imported comment written by jeko1791)

Actually, I can get the right paths by looking at the running applications but not the services…weird.

pathnames of running applications

(imported comment written by lmpymilk91)

Are you sure it’s a running service?

if you run

q:services

in the relevancedebugger do you see your service listed?

(imported comment written by jeko1791)

Yes, it shows up in the results just fine.

q: services whose (service name of it starts with “IBM”)

A: “IBMProventia” “IBM Proventia” “Running”

If I run this relevance:

q: (service names of it, image paths of it) of services whose (service name of it starts with “BES”)

A: BESClient, “C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe”

A: BESClientHelper, “C:\Program Files\BigFix Enterprise\BES Client\BESClientHelper.exe” -l

it works fine, but if I change the service name I’m looking for to search for the IBMProventia service, it returns blank.

q: (service names of it, image paths of it) of services whose (service name of it starts with “IBM”)

q: (service names of it, image paths of it) of services whose (service name of it contains “IBM”)

Almost like that service doesn’t want it’s information known. What would prevent BESClient from seeing that services path?

(imported comment written by jessewk)

My guess is that the ‘image path’ inspector is returning an error for the IBM services. Check HKLM\System\CurrentControlSet\Services<service name> and see if the ImagePath key exists.

Also, to confirm, try this variation on your query:

Q: (service name of it, exists image path of it) of services whose (service name of it as lowercase contains “ibm”)

Jesse

(imported comment written by jeko1791)

Thanks jessewk, that answers it. Image path doesn’t exist in the registry, but there I an executable path in the services.msc gui if I open that service. Where else would this information be polled from?

Q: (service name of it, exists image path of it) of services whose (service name of it as lowercase contains “ibm”)

A: IBMProventia, False

(imported comment written by jessewk)

Not sure. You can probably try searching the registry for “IBMProventia”.

(imported comment written by jeko1791)

Yeah, I tried that early on, but there’s very little about it in the registry. It seems to hide itself very well.

So, I guess at this point, since this service doesn’t present itself like other services, and BESClient looks in the common spot for service info, we’re pretty out of luck.

If anyone else comes across similar services that “hide” themselves like this, please let me know what you discover.