{"id":10171,"date":"2021-01-10T06:56:20","date_gmt":"2021-01-10T14:56:20","guid":{"rendered":"https:\/\/www.coretechnologies.com\/blog\/?p=10171"},"modified":"2021-09-24T14:18:15","modified_gmt":"2021-09-24T21:18:15","slug":"what-services-changed","status":"publish","type":"post","link":"https:\/\/www.coretechnologies.com\/blog\/windows-services\/what-services-changed\/","title":{"rendered":"Q&#038;A: What changed with my Windows Services?"},"content":{"rendered":"<div align=\"center\"><img decoding=\"async\" src=\"\/blog\/images\/qa-windows-service-changes.png\" style=\"margin-bottom:20px;\" title=\"Q&#038;A: What changed with my Windows Services?\" alt=\"Q&#038;A: What changed with my Windows Services?\" border=\"0\"><\/div>\n<div class=\"blog-qa-question-box\">\n<img decoding=\"async\" src=\"\/images\/quotes-transparent-21x21.png\">&nbsp;&nbsp;How can I tell if someone updated the services on our Windows 2019 server? Do you have any tools for that?<\/p>\n<p align=\"right\">&mdash; Sheldon P.<\/p>\n<\/div>\n<p>Hi Sheldon.<\/p>\n<p>Since Windows Services run with high privileges, it&#8217;s very important to keep an eye on them. And because of their inherent power, services are a prized target for bad actors looking to hack your system.<\/p>\n<p>Indeed, 2020&#8217;s <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/12\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\" target=\"_blank\" rel=\"noopener noreferrer\">SolarWinds supply chain exploit<\/a> &mdash; one of the <a href=\"https:\/\/www.crn.com\/news\/security\/solarwinds-hack-one-of-the-worst-in-the-last-decade-analyst\" target=\"_blank\" rel=\"noopener noreferrer\">worst attacks in the past decade<\/a> &mdash; featured a rogue Windows Service depositing malware in the background. A periodic review of the list of services could have identified the compromise months earlier.<\/p>\n<p>Anyway, our free <a href=\"\/products\/WindowsServiceAuditor\/\">Windows Service Auditor<\/a> is an excellent monitoring tool that can help you in your situation. Follow these instructions to keep a watchful eye on your mission-critical servers.<\/p>\n<h2 class=\"blog-caption-numbered\">1. Download &amp; run Windows Service Auditor<\/h2>\n<p><a href=\"\/products\/WindowsServiceAuditor\/\">Windows Service Auditor<\/a> is portable application, meaning that you don&#8217;t need to install it. Simply download the executable file and place it in a folder where you can easily find it.<\/p>\n<p>Double-click the file to start it. In a few seconds, a window listing all your Windows Services will appear:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/windows-service-auditor-screenshot.png\" class=\"zoomPopup\" title=\"Windows Service Auditor\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"image-padding\" src=\"\/blog\/images\/windows-service-auditor-screenshot.png\" title=\"Windows Service Auditor (click to enlarge)\" alt=\"Windows Service Auditor\" border=\"0\" width=\"520\" \/><\/a><\/div>\n<h2 class=\"blog-caption-numbered\">2. Update your computer&#8217;s security policy to allow advanced auditing<\/h2>\n<p>By default, Windows does not keep track all changes made to Windows Services. That capability must be enabled via <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/advanced-security-auditing\" target=\"_blank\" rel=\"noopener noreferrer\">advanced security audit policies<\/a>. Specifically, you need to watch for:<\/p>\n<ul>\n<li>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/audit-other-object-access-events\" target=\"_blank\" rel=\"noopener noreferrer\">Other Object Access<\/a>;\n<\/li>\n<li>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/audit-handle-manipulation\" target=\"_blank\" rel=\"noopener noreferrer\">Handle Manipulation<\/a>;\n<\/li>\n<li>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/audit-security-system-extension\" target=\"_blank\" rel=\"noopener noreferrer\">Security System Extension<\/a>.\n<\/li>\n<\/ul>\n<p>Windows Service Auditor makes it easy to enable that auditing in your local policy. To do so, open the <b>Application<\/b> menu and ensure that the <b>Enable Local Audit Policy<\/b> entry is checked:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/enable-local-audit-policy.png\" class=\"zoomPopup\" title=\"Enable Local Audit Policy settings\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"\/blog\/images\/enable-local-audit-policy.png\" class=\"image-padding\" alt=\"Enable Local Audit Policy settings\" title=\"Enable Local Audit Policy settings\" border=\"0\"><\/a><\/div>\n<h2 class=\"blog-caption-numbered\">3. Enable auditing for important Windows Services, to track who starts\/stops\/changes them<\/h2>\n<p>Do you care about the activities of a specific Windows Service? Even though we have enabled advanced auditing in step 2, you must enable auditing for each service that you would like to monitor.<\/p>\n<p>To enable auditing of a service in Windows Service Auditor, highlight the service and check the <b>Selected Service &gt; Enable Auditing<\/b> menu entry:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/enable-auditng-menu-entry.png\" class=\"zoomPopup\" title=\"Enable service auditing\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"\/blog\/images\/enable-auditng-menu-entry.png\" class=\"image-padding\" alt=\"Enable service auditing\" title=\"Enable service auditing\" border=\"0\"><\/a><\/div>\n<p>With auditing in place for a service, the Windows Event logs will record an event whenever someone attempts to start, stop or modify the service. And to save you from hours of digging through the <a href=\"\/blog\/windows-services\/event-viewer-troubleshoot-windows-services\/\">Event Viewer<\/a>, Windows Service Auditor will collect those records in the lower <b>Events<\/b> panel:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/windows-service-auditor-wuauserv.png\" class=\"zoomPopup\" title=\"Examining the Windows Update service\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"\/blog\/images\/windows-service-auditor-wuauserv.png\" class=\"image-padding\" alt=\"Examining the Windows Update service\" title=\"Examining the Windows Update service\" border=\"0\"><\/a><\/div>\n<h2 class=\"blog-caption-numbered\">4. Capture a baseline snapshot of all services running on your machine<\/h2>\n<p>This short video shows how to capture a snapshot of all the services running on your computer:<br \/>\n<!-- Video: How to Export your Windows Services to XML. --><\/p>\n<div align=\"left\" class=\"video-responsive image-padding\">\n<iframe width=\"560\" height=\"315\" class=\"lazyload\" data-src=\"\/\/www.youtube.com\/embed\/TsYyuw2ZSIQ?rel=0\" frameborder=\"0\" allowfullscreen><\/iframe>\n<\/div>\n<p>To summarize:<\/p>\n<ol>\n<li>\n<p>Start Windows Service Auditor;<\/p>\n<\/li>\n<li>\n<p>Select <b>All Services &gt; Export (XML)<\/b>;<\/p>\n<\/li>\n<li>\n<p>Choose a file name where the services should be saved.<\/p>\n<\/li>\n<\/ol>\n<p>The file will contain an XML record for each service installed on your computer:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/all-services-xml.png\" class=\"zoomPopup\" title=\"Windows Service Auditor: All services XML export\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"\/blog\/images\/all-services-xml.png\" class=\"image-padding\" alt=\"Windows Service Auditor: All services XML export\" title=\"Windows Service Auditor: All services XML export\" border=\"1\"><\/a><\/div>\n<h2 class=\"blog-caption-numbered\">5. Compare future snapshots to the baseline, to identify changes<\/h2>\n<p>Whenever you want to check if any services have changed, you should:<\/p>\n<ol>\n<li>\n<p>Create a new snapshot XML file, as described in the previous section;<\/p>\n<\/li>\n<li>\n<p>Using your favorite <a href=\"https:\/\/www.jotform.com\/blog\/25-useful-document-and-file-comparison-tools\/\" target=\"_blank\" rel=\"noopener noreferrer\">text comparison tool<\/a>, compare the new snapshot to the baseline you established in the previous section<\/b>.<\/p>\n<\/li>\n<\/ol>\n<p>The text comparison tool will highlight all changes that have taken place in between the snapshots.<\/p>\n<p>We recommend using <a href=\"https:\/\/winmerge.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">WinMerge<\/a> &mdash; a free, mature text differencing tool for Windows.<\/p>\n<p>For example, we established a baseline snapshot on December 29. On December 31, we wanted to see what changed with services so we took another snapshot. Afterwards, comparing the two snapshots with WinMerge identified 8 differences, including one showing that the TrustedInstaller service was stopped:<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/winmerge-compare-service-snapshots.png\" class=\"zoomPopup\" title=\"Compare service snapshots with WinMerge\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"\/blog\/images\/winmerge-compare-service-snapshots.png\" class=\"image-padding\" alt=\"Compare service snapshots with WinMerge\" title=\"Compare service snapshots with WinMerge\" border=\"0\" width=\"520\" \/><\/a><\/div>\n<p style=\"margin-top:24px;\">\nBest of luck managing your system!\n<\/p>\n<hr style=\"margin-top:24px;\">\n<h2 class=\"blog-caption\">UPDATE &mdash; September 24 2021: Now find out when a service&#8217;s executable has been modified<\/h2>\n<p><a href=\"\/products\/WindowsServiceAuditor\/\">Windows Service Auditor version 3<\/a> includes a few vital improvements that will help you identify when your Windows Services have changed unexpectedly.<\/p>\n<p>And they are just in time, as hackers continue to compromise systems through <a href=\"https:\/\/blog.talosintelligence.com\/2021\/09\/tinyturla.html\" target=\"_blank\" rel=\"noopener\">malware posing as legitimate services<\/a>!<\/p>\n<p>In the new version, Windows Service Auditor now captures the following fields that uniquely identify the executable file supporting the service:<\/p>\n<ul>\n<li>\n<p><b>path<\/b>: The full path to the executable file started by the service.<\/p>\n<\/li>\n<li>\n<p><b>date-modified<\/b>: The date and time that the service&#8217;s executable file was last modified.<\/p>\n<\/li>\n<li>\n<p><b>size<\/b>: The size of the service&#8217;s executable file, in bytes.<\/p>\n<\/li>\n<li>\n<p><b>hash<\/b>: The SHA-256 hash value of the contents of the service&#8217;s executable file. This is a fingerprint that uniquely identifies the executable.<\/p>\n<\/li>\n<li>\n<p><b>product-name<\/b>: The &#8220;Product name&#8221; set in the service&#8217;s executable file (visible on the &#8220;Details&#8221; tab of the file&#8217;s properties)<\/p>\n<\/li>\n<li>\n<p><b>company<\/b>: The &#8220;Company&#8221; set in the service&#8217;s executable file (visible on the &#8220;Details&#8221; tab of the file&#8217;s properties)<\/p>\n<\/li>\n<li>\n<p><b>file-description<\/b>: The &#8220;File description&#8221; set in the service&#8217;s executable file (visible on the &#8220;Details&#8221; tab of the file&#8217;s properties)<\/p>\n<\/li>\n<li>\n<p><b>file-version<\/b>: The &#8220;File version&#8221; set in the service&#8217;s executable file (visible on the &#8220;Details&#8221; tab of the file&#8217;s properties)<\/p>\n<\/li>\n<\/ul>\n<p>For example, here is the XML captured for the &#8220;Print Spooler&#8221; service (which was <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/383432\" target=\"_blank\" rel=\"noopener\">compromised in June 2021<\/a>):<\/p>\n<div align=\"center\"><a href=\"\/blog\/images\/print-spooler-service-xml.png\" class=\"zoomPopup\" title=\"Print Spooler service XML\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"\/blog\/images\/print-spooler-service-xml.png\" class=\"image-padding\" alt=\"Print Spooler service XML\" title=\"Print Spooler service XML\" border=\"0\" width=\"520\" \/><\/a><\/div>\n<p>With those fields included in the XML, the &#8220;diff&#8221; outlined above will highlight when the service&#8217;s executable has changed. No one will be able to swap out (or impersonate) the underlying file without it showing up on your radar!<\/p>\n<!-- relpost-thumb-wrapper --><div class=\"relpost-thumb-wrapper\"><!-- filter-class --><div class=\"relpost-thumb-container\"><style>.relpost-block-single-image, .relpost-post-image { margin-bottom: 10px; }<\/style><h3>You may also like...<\/h3><div style=\"clear: both\"><\/div><div style=\"clear: both\"><\/div><!-- relpost-block-container --><div class=\"relpost-block-container relpost-block-column-layout\" style=\"--relposth-columns: 3;--relposth-columns_t: 2; --relposth-columns_m: 2\"><a href=\"https:\/\/www.coretechnologies.com\/blog\/alwaysup\/implementing-iso-27001-isms\/\"class=\"relpost-block-single\" ><div class=\"relpost-custom-block-single\"><img decoding=\"async\" loading=\"lazy\" class=\"relpost-block-single-image\" alt=\"How AlwaysUp Supports Your ISO 27001 ISMS\"  src=\"https:\/\/www.coretechnologies.com\/blog\/wp-content\/uploads\/iso-27001-logo-150x150-1.webp\" style=\"aspect-ratio:1\/1\" style=\"aspect-ratio:1\/1\"><\/img><div class=\"relpost-block-single-text\"  style=\"height: 75px;font-family: Arial;  font-size: 12px;  color: #333333;\"><h2 class=\"relpost_card_title\">How AlwaysUp Supports Your ISO 27001 ISMS<\/h2><\/div><\/div><\/a><a href=\"https:\/\/www.coretechnologies.com\/blog\/alwaysup\/google-drive-for-desktop-not-working\/\"class=\"relpost-block-single\" ><div class=\"relpost-custom-block-single\"><img decoding=\"async\" loading=\"lazy\" class=\"relpost-block-single-image\" alt=\"Q&amp;A: Why isn&#039;t Google Drive For Desktop Working with AlwaysUp?\"  src=\"https:\/\/www.coretechnologies.com\/blog\/wp-content\/uploads\/google-drive-not-working-as-service-150x150-1.webp\" style=\"aspect-ratio:1\/1\" style=\"aspect-ratio:1\/1\"><\/img><div class=\"relpost-block-single-text\"  style=\"height: 75px;font-family: Arial;  font-size: 12px;  color: #333333;\"><h2 class=\"relpost_card_title\">Q&amp;A: Why isn&#039;t Google Drive For Desktop Working with AlwaysUp?<\/h2><\/div><\/div><\/a><a href=\"https:\/\/www.coretechnologies.com\/blog\/alwaysup\/cae-visio-windows-service\/\"class=\"relpost-block-single\" ><div class=\"relpost-custom-block-single\"><img decoding=\"async\" loading=\"lazy\" class=\"relpost-block-single-image\" alt=\"Q &amp; A: Can my CAE\/Visio Application Run Properly as a Windows Service?\"  src=\"https:\/\/www.coretechnologies.com\/blog\/wp-content\/uploads\/qa-150x150.png\" style=\"aspect-ratio:1\/1\" style=\"aspect-ratio:1\/1\"><\/img><div class=\"relpost-block-single-text\"  style=\"height: 75px;font-family: Arial;  font-size: 12px;  color: #333333;\"><h2 class=\"relpost_card_title\">Q &amp; A: Can my CAE\/Visio Application Run Properly as a Windows Service?<\/h2><\/div><\/div><\/a><\/div><!-- close relpost-block-container --><div style=\"clear: both\"><\/div><\/div><!-- close filter class --><\/div><!-- close relpost-thumb-wrapper -->","protected":false},"excerpt":{"rendered":"<p>&nbsp;&nbsp;How can I tell if someone updated the services on our Windows 2019 server? Do you have any tools for that? &mdash; Sheldon P. Hi Sheldon. Since Windows Services run with high privileges, it&#8217;s very important to keep an eye &hellip; <a href=\"https:\/\/www.coretechnologies.com\/blog\/windows-services\/what-services-changed\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":10198,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[127,143,240,196,241],"class_list":["post-10171","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows-services","tag-qa","tag-security","tag-windows-service-auditor","tag-windows-services-2","tag-winmerge"],"_links":{"self":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts\/10171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/comments?post=10171"}],"version-history":[{"count":42,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts\/10171\/revisions"}],"predecessor-version":[{"id":10676,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/posts\/10171\/revisions\/10676"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/media\/10198"}],"wp:attachment":[{"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/media?parent=10171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/categories?post=10171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.coretechnologies.com\/blog\/wp-json\/wp\/v2\/tags?post=10171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}