信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
邪恶八进制综合整理。
更改服务帐户密码
描述
更改在假定的服务帐户 Netsvc 下运行的任何服务的服务帐户密码。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objservice in colServiceList
If objService.Startname = ".\netsvc" Then
errReturn = objService.Change( , , , , , , , "password")
End If
Next
配置服务错误控制代码
描述
将所有的自动启动服务配置为在服务启动失败时发出警报。
脚本代码
Const NORMAL_ERROR_CONTROL = 2
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where ErrorControl = 'Ignore'")
For Each objService in colServiceList
errReturn = objService.Change( , , , NORMAL_ERROR_CONTROL)
Next
配置服务启动选项
描述
禁用所有配置为手动启动的服务。除了别的之外,这会使得 Power User 不能启动这些服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where StartMode = 'Manual'")
For Each objService in colServiceList
errReturnCode = objService.Change( , , , , "Disabled")
Next
确定在某个进程中运行的服务
描述
返回在 Services.exe 进程中运行的服务的列表。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objService in colListOfServices
If objService.PathName = "C:\WINDOWS\system32\services.exe" Then
Wscript.Echo objService.DisplayName
End If
Next
确定在所有进程中运行的服务
描述
返回进程列表以及当前在每个进程中运行的所有服务。
脚本代码
set objIdDictionary = CreateObject("Scripting.Dictionary")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State <> 'Stopped'")
For Each objService in colServices
If objIdDictionary.Exists(objService.ProcessID) Then
Else
objIdDictionary.Add objService.ProcessID, objService.ProcessID
End If
Next
colProcessIDs = objIdDictionary.Items
For i = 0 to objIdDictionary.Count - 1
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where ProcessID = '" & _
colProcessIDs(i) & "'")
Wscript.Echo "Process ID: " & colProcessIDs(i)
For Each objService in colServices
Wscript.Echo VbTab & objService.DisplayName
Next
Next
确定可以暂停的服务
描述
返回可以暂停的服务的列表。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where AcceptPause = True")
For Each objService in colServices
Wscript.Echo objService.DisplayName
Next
确定可以停止的服务
描述
返回可以停止的服务的列表。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where AcceptStop = True")
For Each objService in colServices
Wscript.Echo objService.DisplayName
Next
枚举单个服务的前项服务
描述
枚举必须在启动 SMTP 服务之前运行的所有服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_service.Name='SMTPSVC'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Dependent")
For Each objService in colServiceList
Wscript.Echo objService.DisplayName
Next
枚举单个服务的依赖服务
描述
枚举不能在启动 Rasman 服务之前启动的所有服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='rasman'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Antecedent" )
For Each objService in colServiceList
Wscript.Echo objService.DisplayName
Next
枚举所有服务的依赖服务
描述
枚举所有安装在计算机上的服务的依赖服务。
脚本代码
Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = _
objFSO.OpenTextFile("C:\Scripts\Service_Dependencies.csv", _
ForAppending, True)
objLogFile.Write("Service Dependencies")
objLogFile.WriteLine
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery("Select * from Win32_Service")
For Each objService in colServices
strServiceRegistryName = objService.Name
strServiceDisplayName = objService.DisplayName
Set colDependentServices = objWMIService.ExecQuery("Associators of " & _
"{Win32_Service.Name='" & strServiceRegistryName & "'} " & _
"Where AssocClass=Win32_DependentService Role=Antecedent")
If colDependentServices.Count = 0 Then
objLogFile.Write(strServiceDisplayName & ",None")
objLogFile.WriteLine
Else
objLogFile.Write(strServiceDisplayName & ",")
For Each objDependentService in colDependentServices
objLogFile.Write(objDependentService.DisplayName & ",")
Next
objLogFile.WriteLine
End If
Next
objLogFile.Close
枚举非活动服务
描述
返回安装在计算机上目前已经停止的所有服务的列表。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")
Set colStoppedServices = objWMIService.ExecQuery _
("SELECT DisplayName,State FROM Win32_Service WHERE State <> 'Running'")
For Each objService in colStoppedServices
Wscript.Echo objService.DisplayName & " = " & objService.State
Next
枚举服务加载顺序组
描述
返回计算机上的所有服务加载顺序组的列表以及它们的加载顺序。
有关在这段代码中使用的 Win32_LoadOrderGroup 类别的更多信息,请单击此处。
支持平台
Windows Server 2003 | 是 |
Windows XP | 是 |
Windows 2000 | 是 |
Windows NT 4.0 | 是,需要安装 WMI |
脚本代码
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_LoadOrderGroup")
For Each objItem in colItems
Wscript.Echo "Driver Enabled: " & objItem.DriverEnabled
Wscript.Echo "Group Order: " & objItem.GroupOrder
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo
Next
监视服务性能
描述
使用已格式化的性能计数器检索 DHCP Server 服务的性能数据。需要 Windows XP 或 Windows Server 2003。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set objRefresher = CreateObject("WbemScripting.SWbemRefresher")
Set colDHCPServer = objRefresher.AddEnum _
(objWMIService, "win32_PerfFormattedData_DHCPServer_DHCPServer"). _
ObjectSet
objRefresher.Refresh
For i = 1 to 60
For Each objDHCPServer in colDHCPServer
Wscript.Echo "Acknowledgements per second: " & _
objDHCPServer.AcksPerSec
Wscript.Echo "Declines per second: " & _
objDHCPServer.DeclinesPerSec
Wscript.Echo "Discovers per second: " & _
objDHCPServer.DiscoversPerSec
Wscript.Echo "Informs per second: " & objDHCPServer.InformsPerSec
Wscript.Echo "Offers per second: " & objDHCPServer.OffersPerSec
Wscript.Echo "Releases per second: " & _
objDHCPServer.ReleasesPerSec
Wscript.Echo "Requests per second: " & _
objDHCPServer.RequestsPerSec
Next
Wscript.Sleep 10000
objRefresher.Refresh
Next
暂停在某个特定帐户下运行的服务
描述
暂停在假定的服务帐户 Netsvc 下运行的所有服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For each objService in colServices
If objService.StartName = ".\netsvc" Then
errReturnCode = objService.PauseService()
End If
Next
删除服务
描述
删除名为 DbService 的假定服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = 'DbService'")
For Each objService in colListOfServices
objService.StopService()
objService.Delete()
Next
恢复暂停的自动启动服务
描述
重新启动已经暂停的任何自动启动服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State = 'Paused' and StartMode = 'Auto'")
For Each objService in colListOfServices
objService.ResumeService()
Next
检索服务属性
描述
检索服务及其相关属性的完整列表。将信息保存到文本文件:C:\Scripts\Service_List.cs。
脚本代码
Const ForAppending = 8
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.OpenTextFile("c:\scripts\service_list.csv", _
ForAppending, True)
objLogFile.Write _
("System Name,Service Name,Service Type,Service State, Exit " _
& "Code,Process ID,Can Be Paused,Can Be Stopped,Caption," _
& "Description,Can Interact with Desktop,Display Name,Error " _
& "Control, Executable Path Name,Service Started," _
& "Start Mode,Account Name ")
objLogFile.Writeline
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objService in colListOfServices
objLogFile.Write(objService.SystemName) & ","
objLogFile.Write(objService.Name) & ","
objLogFile.Write(objService.ServiceType) & ","
objLogFile.Write(objService.State) & ","
objLogFile.Write(objService.ExitCode) & ","
objLogFile.Write(objService.ProcessID) & ","
objLogFile.Write(objService.AcceptPause) & ","
objLogFile.Write(objService.AcceptStop) & ","
objLogFile.Write(objService.Caption) & ","
objLogFile.Write(objService.Description) & ","
objLogFile.Write(objService.DesktopInteract) & ","
objLogFile.Write(objService.DisplayName) & ","
objLogFile.Write(objService.ErrorControl) & ","
objLogFile.Write(objService.PathName) & ","
objLogFile.Write(objService.Started) & ","
objLogFile.Write(objService.StartMode) & ","
objLogFile.Write(objService.StartName) & ","
objLogFile.writeline
Next
objLogFile.Close
检索服务状态
描述
返回安装在计算机上的所有服务的列表,并且指示它们的当前状态(一般来说是正在运行还是没有运行)。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colRunningServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For Each objService in colRunningServices
Wscript.Echo objService.DisplayName & VbTab & objService.State
Next
从事件日志检索服务状态的改变
描述
从事件 ID 为 7036 的 System 事件日志中检索事件。任何时候只要状态发生改变就记录这些事件。需要 Windows XP 或 Windows Server 2003。
脚本代码
Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '7036'")
For Each strEvent in colServiceEvents
dtmConvertedDate.Value = strEvent.TimeWritten
Wscript.Echo dtmConvertedDate.GetVarDate
Wscript.Echo strEvent.Message
Next
启动服务及其依赖服务
描述
启动 NetDDE 服务及其所有的依赖服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='NetDDE'")
For each objService in colServiceList
errReturn = objService.StartService()
Next
Wscript.Sleep 20000
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='NetDDE'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Dependent" )
For each objService in colServiceList
objService.StartService()
Next
启动已经停止的自动启动服务
描述
重新启动任何已经停止的自动启动服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where State = 'Stopped' and StartMode = " _
& "'Auto'")
For Each objService in colListOfServices
objService.StartService()
Next
停止服务及其依赖服务
描述
停止 NetDDE 服务及其所有的依赖服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='NetDDE'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Antecedent" )
For each objService in colServiceList
objService.StopService()
Next
Wscript.Sleep 20000
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='NetDDE'")
For each objService in colServiceList
errReturn = objService.StopService()
Next
停止在某个特定的帐户下运行的服务
描述
停止在假定的服务帐户 Netsvc 下运行的所有服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from win32_Service")
For each objService in colServices
If objService.StartName = ".\netsvc" Then
errReturnCode = objService.StopService()
End If
Next
将服务帐户切换到本地服务
描述
将在假定的服务帐户 Netsvc 下运行的任何服务的服务帐户更改为本地服务。
脚本代码
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("Select * from Win32_Service")
For each objService in colServices
If objService.StartName = ".\netsvc" Then
errServiceChange = objService.Change _
( , , , , , , "NT AUTHORITY\LocalService" , "")
End If
Next
