[转载]脚本 服务相关
<P>信息来源:邪恶八进制信息安全团队(<A href="http://www.eviloctal.com">www.eviloctal.com</A>)</P><P>邪恶八进制综合整理。</P>
<H1>更改服务帐户密码</H1>
<DIV style="HEIGHT: 18px"></DIV>
<P><B>描述</B><BR>更改在假定的服务帐户 Netsvc 下运行的任何服务的服务帐户密码。</P>
<P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objservice in colServiceList
If objService.Startname = ".\netsvc" Then
errReturn = objService.Change( , , , , , , , "password")
End If
Next
<H1>配置服务错误控制代码</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>将所有的自动启动服务配置为在服务启动失败时发出警报。</P><P><B>脚本代码</B></P><PRE class=codeSample>Const NORMAL_ERROR_CONTROL = 2
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where ErrorControl = 'Ignore'")
For Each objService in colServiceList
errReturn = objService.Change( , , , NORMAL_ERROR_CONTROL)
Next
<H1>配置服务启动选项</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>禁用所有配置为手动启动的服务。除了别的之外,这会使得 Power User 不能启动这些服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where StartMode = 'Manual'")
For Each objService in colServiceList
errReturnCode = objService.Change( , , , , "Disabled")
Next
<H1>确定在某个进程中运行的服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回在 Services.exe 进程中运行的服务的列表。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objService in colListOfServices
If objService.PathName = "C:\WINDOWS\system32\services.exe" Then
Wscript.Echo objService.DisplayName
End If
Next
<H1>确定在所有进程中运行的服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回进程列表以及当前在每个进程中运行的所有服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>set objIdDictionary = CreateObject("Scripting.Dictionary")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State <> 'Stopped'")
For Each objService in colServices
If objIdDictionary.Exists(objService.ProcessID) Then
Else
objIdDictionary.Add objService.ProcessID, objService.ProcessID
End If
Next
colProcessIDs = objIdDictionary.Items
For i = 0 to objIdDictionary.Count - 1
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where ProcessID = '" & _
colProcessIDs(i) & "'")
Wscript.Echo "Process ID: " & colProcessIDs(i)
For Each objService in colServices
Wscript.Echo VbTab & objService.DisplayName
Next
Next
<H1>确定可以暂停的服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回可以暂停的服务的列表。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where AcceptPause = True")
For Each objService in colServices
Wscript.Echo objService.DisplayName
Next
<H1>确定可以停止的服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回可以停止的服务的列表。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where AcceptStop = True")
For Each objService in colServices
Wscript.Echo objService.DisplayName
Next
<H1>枚举单个服务的前项服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>枚举必须在启动 SMTP 服务之前运行的所有服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_service.Name='SMTPSVC'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Dependent")
For Each objService in colServiceList
Wscript.Echo objService.DisplayName
Next
<H1>枚举单个服务的依赖服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>枚举不能在启动 Rasman 服务之前启动的所有服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='rasman'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Antecedent" )
For Each objService in colServiceList
Wscript.Echo objService.DisplayName
Next
<H1>枚举所有服务的依赖服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B></P><P>枚举所有安装在计算机上的服务的依赖服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = _
objFSO.OpenTextFile("C:\Scripts\Service_Dependencies.csv", _
ForAppending, True)
objLogFile.Write("Service Dependencies")
objLogFile.WriteLine
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery("Select * from Win32_Service")
For Each objService in colServices
strServiceRegistryName = objService.Name
strServiceDisplayName = objService.DisplayName
Set colDependentServices = objWMIService.ExecQuery("Associators of " & _
"{Win32_Service.Name='" & strServiceRegistryName & "'} " & _
"Where AssocClass=Win32_DependentService Role=Antecedent")
If colDependentServices.Count = 0 Then
objLogFile.Write(strServiceDisplayName & ",None")
objLogFile.WriteLine
Else
objLogFile.Write(strServiceDisplayName & ",")
For Each objDependentService in colDependentServices
objLogFile.Write(objDependentService.DisplayName & ",")
Next
objLogFile.WriteLine
End If
Next
objLogFile.Close
<H1>枚举非活动服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回安装在计算机上目前已经停止的所有服务的列表。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")
Set colStoppedServices = objWMIService.ExecQuery _
("SELECT DisplayName,State FROM Win32_Service WHERE State <> 'Running'")
For Each objService in colStoppedServices
Wscript.Echo objService.DisplayName & " = " & objService.State
Next
<H1>枚举服务加载顺序组</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回计算机上的所有服务加载顺序组的列表以及它们的加载顺序。</P><P>有关在这段代码中使用的 Win32_LoadOrderGroup 类别的更多信息,请单击<A href="http://msdn.microsoft.com/library/en-us/wmisdk/wmi/win32_loadordergroup.asp">此处</A>。</P><P><B>支持平台</B></P><TABLE class=dataTable id=EGAA cellSpacing=0 cellPadding=0><THEAD></THEAD><TBODY><TR class=record vAlign=top><TD><P class=lastInCell><B>Windows Server 2003</B></P></TD><TD style="BORDER-RIGHT: #cccccc 1px solid"><P class=lastInCell><B>是</B></P></TD></TR><TR class=evenRecord vAlign=top><TD><P class=lastInCell><B>Windows XP</B></P></TD><TD style="BORDER-RIGHT: #cccccc 1px solid"><P class=lastInCell><B>是</B></P></TD></TR><TR class=record vAlign=top><TD><P class=lastInCell><B>Windows 2000</B></P></TD><TD style="BORDER-RIGHT: #cccccc 1px solid"><P class=lastInCell><B>是</B></P></TD></TR><TR class=evenRecord vAlign=top><TD><P class=lastInCell><B>Windows NT 4.0</B></P></TD><TD style="BORDER-RIGHT: #cccccc 1px solid"><P class=lastInCell><B>是,需要安装 WMI</B></P></TD></TR></TBODY></TABLE><DIV class=dataTableBottomMargin></DIV><P><B>脚本代码</B></P><PRE class=codeSample>On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_LoadOrderGroup")
For Each objItem in colItems
Wscript.Echo "Driver Enabled: " & objItem.DriverEnabled
Wscript.Echo "Group Order: " & objItem.GroupOrder
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo
Next
<H1>监视服务性能</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>使用已格式化的性能计数器检索 DHCP Server 服务的性能数据。需要 Windows XP 或 Windows Server 2003。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set objRefresher = CreateObject("WbemScripting.SWbemRefresher")
Set colDHCPServer = objRefresher.AddEnum _
(objWMIService, "win32_PerfFormattedData_DHCPServer_DHCPServer"). _
ObjectSet
objRefresher.Refresh
For i = 1 to 60
For Each objDHCPServer in colDHCPServer
Wscript.Echo "Acknowledgements per second: " & _
objDHCPServer.AcksPerSec
Wscript.Echo "Declines per second: " & _
objDHCPServer.DeclinesPerSec
Wscript.Echo "Discovers per second: " & _
objDHCPServer.DiscoversPerSec
Wscript.Echo "Informs per second: " & objDHCPServer.InformsPerSec
Wscript.Echo "Offers per second: " & objDHCPServer.OffersPerSec
Wscript.Echo "Releases per second: " & _
objDHCPServer.ReleasesPerSec
Wscript.Echo "Requests per second: " & _
objDHCPServer.RequestsPerSec
Next
Wscript.Sleep 10000
objRefresher.Refresh
Next
<H1>暂停在某个特定帐户下运行的服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>暂停在假定的服务帐户 Netsvc 下运行的所有服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For each objService in colServices
If objService.StartName = ".\netsvc" Then
errReturnCode = objService.PauseService()
End If
Next
<H1>删除服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>删除名为 DbService 的假定服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = 'DbService'")
For Each objService in colListOfServices
objService.StopService()
objService.Delete()
Next
<H1>恢复暂停的自动启动服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>重新启动已经暂停的任何自动启动服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State = 'Paused' and StartMode = 'Auto'")
For Each objService in colListOfServices
objService.ResumeService()
Next
<H1>检索服务属性</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B></P><P>检索服务及其相关属性的完整列表。将信息保存到文本文件:C:\Scripts\Service_List.cs。</P><P><B>脚本代码</B></P><PRE class=codeSample>Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.OpenTextFile("c:\scripts\service_list.csv", _
ForAppending, True)
objLogFile.Write _
("System Name,Service Name,Service Type,Service State, Exit " _
& "Code,Process ID,Can Be Paused,Can Be Stopped,Caption," _
& "Description,Can Interact with Desktop,Display Name,Error " _
& "Control, Executable Path Name,Service Started," _
& "Start Mode,Account Name ")
objLogFile.Writeline
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objService in colListOfServices
objLogFile.Write(objService.SystemName) & ","
objLogFile.Write(objService.Name) & ","
objLogFile.Write(objService.ServiceType) & ","
objLogFile.Write(objService.State) & ","
objLogFile.Write(objService.ExitCode) & ","
objLogFile.Write(objService.ProcessID) & ","
objLogFile.Write(objService.AcceptPause) & ","
objLogFile.Write(objService.AcceptStop) & ","
objLogFile.Write(objService.Caption) & ","
objLogFile.Write(objService.Description) & ","
objLogFile.Write(objService.DesktopInteract) & ","
objLogFile.Write(objService.DisplayName) & ","
objLogFile.Write(objService.ErrorControl) & ","
objLogFile.Write(objService.PathName) & ","
objLogFile.Write(objService.Started) & ","
objLogFile.Write(objService.StartMode) & ","
objLogFile.Write(objService.StartName) & ","
objLogFile.writeline
Next
objLogFile.Close<BR><H1>检索服务状态</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>返回安装在计算机上的所有服务的列表,并且指示它们的当前状态(一般来说是正在运行还是没有运行)。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colRunningServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objService in colRunningServices
Wscript.Echo objService.DisplayName & VbTab & objService.State
Next
<H1>从事件日志检索服务状态的改变</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>从事件 ID 为 7036 的 System 事件日志中检索事件。任何时候只要状态发生改变就记录这些事件。需要 Windows XP 或 Windows Server 2003。</P><P><B>脚本代码</B></P><PRE class=codeSample>Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '7036'")
For Each strEvent in colServiceEvents
dtmConvertedDate.Value = strEvent.TimeWritten
Wscript.Echo dtmConvertedDate.GetVarDate
Wscript.Echo strEvent.Message
Next
<H1>启动服务及其依赖服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>启动 NetDDE 服务及其所有的依赖服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='NetDDE'")
For each objService in colServiceList
errReturn = objService.StartService()
Next
Wscript.Sleep 20000
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='NetDDE'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Dependent" )
For each objService in colServiceList
objService.StartService()
Next
<H1>启动已经停止的自动启动服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>重新启动任何已经停止的自动启动服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State = 'Stopped' and StartMode = " _
& "'Auto'")
For Each objService in colListOfServices
objService.StartService()
Next
<H1>停止服务及其依赖服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>停止 NetDDE 服务及其所有的依赖服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='NetDDE'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Antecedent" )
For each objService in colServiceList
objService.StopService()
Next
Wscript.Sleep 20000
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='NetDDE'")
For each objService in colServiceList
errReturn = objService.StopService()
Next
<H1>停止在某个特定的帐户下运行的服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>停止在假定的服务帐户 Netsvc 下运行的所有服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from win32_Service")
For each objService in colServices
If objService.StartName = ".\netsvc" Then
errReturnCode = objService.StopService()
End If
Next
<H1>将服务帐户切换到本地服务</H1><DIV style="HEIGHT: 18px"></DIV><P><B>描述</B><BR>将在假定的服务帐户 Netsvc 下运行的任何服务的服务帐户更改为本地服务。</P><P><B>脚本代码</B></P><PRE class=codeSample>strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For each objService in colServices
If objService.StartName = ".\netsvc" Then
errServiceChange = objService.Change _
( , , , , , , "NT AUTHORITY\LocalService" , "")
End If
Next
</PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE></PRE>
页:
[1]