Services and Pathnames

baumpower · August 6, 2024, 7:02pm

Stumped here…why would this statement return results that I’m filtering?!

q: (service names of it, image paths of it) of services whose (image path of it does not start with “C:\Program Files (x86)” or image path of it does not start with “C:\Windows”)
A: AJRouter, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
A: ALG, C:\Windows\System32\alg.exe
A: AppIDSvc, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
A: Appinfo, C:\Windows\system32\svchost.exe -k netsvcs -p
A: AppMgmt, C:\Windows\system32\svchost.exe -k netsvcs -p
A: AppReadiness, C:\Windows\System32\svchost.exe -k AppReadiness -p
A: AppVClient, C:\Windows\system32\AppVClient.exe
A: AppXSvc, C:\Windows\system32\svchost.exe -k wsappx -p
A: AssignedAccessManagerSvc, C:\Windows\system32\svchost.exe -k AssignedAccessManagerSvc
A: AudioEndpointBuilder, C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
A: Audiosrv, C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
A: autotimesvc, C:\Windows\system32\svchost.exe -k autoTimeSvc
A: AxInstSV, C:\Windows\system32\svchost.exe -k AxInstSVGroup
A: BDESVC, C:\Windows\System32\svchost.exe -k netsvcs -p
A: BESClient, “C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe”
A: BFE, C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
A: BITS, C:\Windows\System32\svchost.exe -k netsvcs -p
A: BrokerInfrastructure, C:\Windows\system32\svchost.exe -k DcomLaunch -p
A: BTAGService, C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
A: BthAvctpSvc, C:\Windows\system32\svchost.exe -k LocalService -p
A: bthserv, C:\Windows\system32\svchost.exe -k LocalService -p
A: camsvc, C:\Windows\system32\svchost.exe -k appmodel -p
A: CDPSvc, C:\Windows\system32\svchost.exe -k LocalService -p
A: CertPropSvc, C:\Windows\system32\svchost.exe -k netsvcs
A: ClipSVC, C:\Windows\System32\svchost.exe -k wsappx -p
A: cloudidsvc, C:\Windows\system32\svchost.exe -k CloudIdServiceGroup -p
A: COMSysApp, C:\Windows\system32\dllhost.exe /P

Aram · August 6, 2024, 7:24pm

There are 2 (maybe 3) potential issues here:

the ‘or’ in the whose filter should be an ‘and’
Some of the service image paths in the registry start with double-quotes, so, they are likely being included when you don’t want them to be
there could potentially be case-sensitivity issues

Try something like the following:

(service names of it, image paths of it) of services whose (image path of it as lowercase does not start with "C:\Program Files (x86)" as lowercase AND image path of it as lowercase does not start with "%22C:\Program Files (x86)" as lowercase AND image path of it as lowercase does not start with "C:\Windows" as lowercase AND image path of it as lowercase does not start with "%22C:\Windows" as lowercase)

baumpower · August 6, 2024, 7:24pm

Hmmm - this one is persistent: wbengine, “C:\Windows\system32\wbengine.exe”

baumpower · August 6, 2024, 7:25pm

Looking good - going to make a few edits, but I think you nailed it!