Skip to content

FS_SysInfo_Services

Jump to bottom
ufrisk edited this page Mar 2, 2023 · 5 revisions

The sys/services directory

The directory sys/services exists as a sub-directory to the file system root.

The directory and its sub-directories contains information about services extracted from the service control manager (SCM).

The files in the sys/services directory are listed in the table below:

File Description
services.txt Summary information about all services listed by ordinal.
by-id/[id]/registry/ Service registry key.
by-id/[id]/svcinfo.txt Detailed information about each service.
by-name/[name]/registry/ Service registry key.
by-name/[name]/svcinfo.txt Detailed information about each service.

Files in the sys/services directory and sub-directories are read-only except for binary registry key/values.

File: services.txt

The file services.txt contains summary information about the services. The meaning of the different columns are as follows:

#       PID START_TP     STATE      TYPE TYPE    RECORD_ADDR  NAME / DISPLAYNAME                              USER           IMAGE-PATH                            OBJECT-NAME
==============================================================================================================================================================================
...
0034   1332 AUTO_START   RUNNING    PROC SHR     000000b76a20 BFE / Base Filtering Engine                     LOCAL SERVICE  %SystemRoot%\System32\bfe.dll      :: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
0035    112 AUTO_START   RUNNING    PROC SHR     000000b74cc0 BITS / Background Intelligent Transfer Service  SYSTEM         %SystemRoot%\System32\qmgr.dll     :: C:\Windows\system32\svchost.exe -k netsvcs
0036      0 SYSTEM_START RUNNING    DRV  KERNEL  000000b74db0 blbdrive                                        ---            system32\DRIVERS\blbdrive.sys      :: \Driver\blbdrive
0037      0 DEMAND_START RUNNING    DRV  FS      000000b74ea0 bowser / Browser Support Driver                 ---            system32\DRIVERS\bowser.sys        :: \FileSystem\bowser
...

File: by-id/[id]/svcinfo.txt   and   by-name/[name]/svcinfo.txt

The file svcinfo.txt contains detailed information about each service as shown below:

Ordinal:          35
Service Name:     BITS
Display Name:     Background Intelligent Transfer Service
Record Address:   0x000000b74cc0
Service Type:     SERVICE_AUTO_START (0x2)
Service State:    SERVICE_RUNNING (0x4)
Service Type:     SERVICE_WIN32_SHARE_PROCESS (0x20)
Process ID (PID): 112
Path:             C:\Windows\system32\svchost.exe -k netsvcs
Image Path:       %SystemRoot%\System32\qmgr.dll
User Type:        
User Account:     SYSTEM

Example

The example shows the sys/services directory with the summary information and detailed information about one service.

For Developers

The sys/svc sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_sys_svc.c in the vmm project.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally