anavem.
Critical RiskWindowsLegitimateCommonly Abused
services.exeSYSTEM PROCESS

services.exe - Windows Service Control Manager Security Analysis

services.exe is the **Windows Service Control Manager (SCM)**, responsible for starting, stopping, and managing all Windows services. It runs as NT AUTHORITY\SYSTEM and is the parent process of all svchost.exe instances. **Service creation is a top persistence mechanism** used by attackers for maintaining access with SYSTEM privileges.

Risk Summary

CRITICAL priority for SOC triage. services.exe manages all Windows services. Monitor **Event ID 7045** (new service installed) and **Event ID 4697** (Security log) for malicious service creation. Any services.exe outside System32 is malware.

Overview

What is services.exe?

services.exe is the Service Control Manager (SCM) for Windows, the central authority for Windows service lifecycle management.

Core Functions

Service Database Management:

  • Maintains the services registry database
  • Stores service configurations and state
  • Manages service dependencies

Service Lifecycle Control:

  • Starts services at boot or on demand
  • Stops, pauses, and resumes services
  • Handles service failure recovery

Service Host Management:

  • Spawns svchost.exe instances
  • Launches standalone service executables

Security Significance

  • Persistence Vector: Malicious services are a top persistence technique
  • SYSTEM Privileges: Services often run with highest privileges
  • Parent of svchost.exe: All service hosts descend from services.exe
  • Protected Process: Cannot be terminated without crashing Windows

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\services.exe
Parentwininit.exe (Vista+)
InstancesONE (exactly one)
UserNT AUTHORITY\SYSTEM
Childrensvchost.exe, service executables
Memory10-30 MB

Normal Child Processes

services.exe
├── svchost.exe (multiple instances)
├── spoolsv.exe (Print Spooler)
├── msiexec.exe (during installations)
└── [other service executables]

Critical: services.exe should NOT spawn cmd.exe or PowerShell directly.

Common Locations

C:\Windows\System32\services.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Windows\System32\services.exe
Parent:      wininit.exe
Instances:   ONE
User:        NT AUTHORITY\SYSTEM
Children:    svchost.exe, services

SUSPICIOUS

Path:        C:\Windows\services.exe (missing System32!)
             C:\Users\...\services.exe
Parent:      explorer.exe, cmd.exe
Instances:   Multiple
Children:    cmd.exe, powershell.exe directly

Service Installation Red Flags

IndicatorNormalSuspicious
Binary PathSystem32, Program FilesTemp, User folders
Service NameDescriptiveRandom, obfuscated
SignatureSigned by vendorUnsigned

Abuse Techniques

Attack Techniques

Technique #1: Malicious Service Creation (T1543.003)

sc create "WindowsUpdate" binPath= "C:\Windows\Temp\payload.exe" start= auto

Detection Events:

  • Security Event ID 4697
  • System Event ID 7045

Technique #2: Service Binary Hijacking (T1574.010)

Vulnerable Conditions:

  • Service binary in user-writable location
  • Weak ACLs on service executable
  • Unquoted service paths

Technique #3: DLL Hijacking in Services

Attacker places malicious DLL in service search path.

Technique #4: Process Impersonation

Fake services.exe in wrong location:

C:\Windows\services.exe
C:\services.exe

Detection Guidance

Detection Strategies

Priority #1: Service Installation Monitoring

Critical Event IDs:

System: Event ID 7045 - New service installed
Security: Event ID 4697 - Service installed

SIEM Rule:

EventID IN (7045, 4697) AND
ImagePath MATCHES "(Temp|Users|Downloads|AppData)"
→ ALERT: HIGH

Priority #2: Path Verification

Process = "services.exe" AND
Path != "C:\Windows\System32\services.exe"
→ ALERT: CRITICAL

Priority #3: Service Binary Audit

Get-WmiObject Win32_Service | ForEach-Object {
    if ($_.PathName -match "(Users|Temp|Downloads)") {
        Write-Warning "SUSPICIOUS: $($_.Name)"
    }
}

Remediation Steps

Protection and Remediation

Defense: Service Installation Auditing

auditpol /set /subcategory:"Security System Extension" /success:enable

If Malicious Service Detected

  1. Document service name and binary path
  2. Stop: sc stop "ServiceName"
  3. Disable: sc config "ServiceName" start= disabled
  4. Preserve binary for analysis
  5. Delete: sc delete "ServiceName"
  6. Hunt for same indicator across endpoints

Investigation Checklist

Investigation Checklist

  • Verify path is C:\Windows\System32\services.exe
  • Confirm parent is wininit.exe
  • Check for ONE instance only
  • Review Event ID 7045/4697
  • Audit services for suspicious binary paths
  • Check for services in Temp, Users, AppData
  • Look for unquoted service paths
  • Verify service executable signatures

MITRE ATT&CK Techniques

T1543.003T1574.010T1574.001T1036.005

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026