logo

There are literally hundreds of services in the Windows operating system, some of which are managed by the Service Control Manager (services.msc). All of these services are listed in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

reg1

The ones that are controlled by the Service Manager are listed as Type 16, Type 32 (can share a process with other services), or Type 272 (usually third party services). The name of the service listed in the Service Manager is not necessarily the same as the name listed in the registry. To find the name used in the registry, right button click on the name in the Service Manager and look at the Properties. You will find the service name near the top.

reg2

Once you have found the service in the registry, you can examine the properties of that service.

reg3

In the example above, the Service Name happens to be a simple abbreviation of the DisplayName, but it could be completely different. For example, the Service called Windows Firewall has a Service Name of MpsSvc. In the above service, the Image Path gives us the name of the file that provides this service and its location. In many cases however, the Image Path only gives us the name of the container.

reg4

To find the name of actual file used, we have to look further.

reg5

This service is called the Task Scheduler, and uses the svchost.exe container to load schedsvc.dll as part of “netsvcs”. Each svchost can host several library services that can depend on one another.

Under each service, we also see a “Start” key.

VALUE LOADER MEANING
0x0KernelPart of the driver stack and must be loaded by the Boot Loader
(Boot)
0x1I/ODriver to be loaded at Kernal initialization
(System)
0x2SCMLoaded or started automatically for all startups
(Auto load)
0x3SCMAvailable, but will not be started until called upon
(Manual)
0x4SCMNot to be started under any conditions
(Disabled)

address