If you have a compromised Windows system and want to analyze when services were installed or modified, then how do you do that? Today’s SuperUser Q&A post has the answers to a curious reader’s question.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.
Notepad screenshot courtesy of Flyk (SuperUser).
The Question
SuperUser reader Lucas Kauffman wants to know how to find the Creation Date (or Last Modified Date) for services in Windows:
If you have a compromised operating system that you are trying to analyze for newly installed services or when services were installed, how do you do that? Where can I find the Creation Date for a particular service in the Windows registry?
How do you find the Creation Date or Last Modified Date for services in Windows?
The Answer
SuperUser contributors Flyk and Andrew Medico have the answer for us. First up, Flyk:
There is no way to determine the Creation Date for a particular Windows service as both the services applet and Windows registry do not store any dates related to creation.There is, however, a Last Modified Date that is hidden away from view (even in the Windows registry editor), but it can be accessed usingRegQueryInfoKey. Since all Windows services are stored in the registry, you can check the Last Modified Date against the registry keys related to the service in question by looking inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.Alternatively, if you export the registry keys you want information about as text file, you will see the Last Modified Date for each key is written in the text file.Finally, a solution using PowerShell to return the Last Modified Date has already been discussed on Stack Overflow.
Followed by the answer from Andrew Medico:
Starting with Vista, service creation is logged to the System Event Logunder Service Control Manager Event ID 7045.For example, the following command:Produced the following event log entry:
No comments:
Post a Comment