TechQA.

How do I use enumServicesStatus to obtain the dwServiceType of Unknown in Windows?

94 views Asked by At

In Windows, the dwServiceType of EnumServicesStatus has no "Unknown" attribute. Only SERVICE_DRIVER, SERVICE_FILE_SYSTEM_DRIVER, SERVICE_KERNEL_DRIVER, SERVICE_WIN32, SERVICE_WIN32_OWN_PROCESS, and SERVICE_WIN32_SHARE_PROCESS are defined. Failure is returned if any other value is used.

See this picture showing an "Unknown" type: Screen capture showing unknown service type

c++ windows system-information
Original Q&A
1

There are 1 answers

2
Daniel Widdis On

The docs for EnumServicesStatus are incomplete in their list of dwServiceType values. The complete list of bits available in the bitmask can be found in winnt.h. One version I found, which appears to be older, is:

/* Service types */
#define SERVICE_KERNEL_DRIVER      0x00000001
#define SERVICE_FILE_SYSTEM_DRIVER 0x00000002
#define SERVICE_ADAPTER            0x00000004
#define SERVICE_RECOGNIZER_DRIVER  0x00000008

#define SERVICE_DRIVER ( SERVICE_KERNEL_DRIVER | SERVICE_FILE_SYSTEM_DRIVER | \
                         SERVICE_RECOGNIZER_DRIVER )

#define SERVICE_WIN32_OWN_PROCESS   0x00000010
#define SERVICE_WIN32_SHARE_PROCESS 0x00000020
#define SERVICE_WIN32  (SERVICE_WIN32_OWN_PROCESS | SERVICE_WIN32_SHARE_PROCESS)

#define SERVICE_INTERACTIVE_PROCESS 0x00000100

#define SERVICE_TYPE_ALL ( SERVICE_WIN32 | SERVICE_ADAPTER | \
                           SERVICE_DRIVER | SERVICE_INTERACTIVE_PROCESS )

Raymond Chen indicates in this comment that 0x40 is SERVICE_USER_SERVICE in newer versions of Windows.

The presence of "Unknown" indicates there must be a default condition for service types not included in the header file, likely due to changes in newer versions of Windows.

In the case of the particular Agent Activation Runtime (Aarsvc) in your image, the type is 96 (0x60 = 0x40 | 0x20), which appears in other documentation as USER_SHARE_PROCESS (see Per User Services Documentation), and is not in the list of values above. Type 80 (0x50 = 0x40 | 0x10, USER_OWN_PROCESS) also fits into that category, a per user service that's an "own" process rather than a shared one.

So it seems searching using SERVICE_USER_SERVICE | SERVICE_WIN32 should return at least that particular service; perhaps not all unknowns.

For more possible "Unknown" values, see this GitHub Issue listing the following:

const std::map<int, std::string> kServiceType = {
    {0x00000001, "Driver"},
    {0x00000002, "FS driver"},
    {0x00000010, "OWN_PROCESS"},
    {0x00000020, "SHARE_PROCESS"},
    {0x00000100, "INTERACTIVE_PROCESS"},
    {0x00000110, "OWN_PROCESS(Interactive)"},
    {0x00000120, "SHARE_PROCESS(Interactive)"},
    {0x00000050, "USER_OWN_PROCESS"},
    {0x000000d0, "USER_OWN_PROCESS(Instance)"},
    {0x00000060, "USER_SHARE_PROCESS"},
    {0x000000e0, "USER_SHARE_PROCESS(Instance)"},
    {0x00000210, "PACKAGE_OWN_PROCESS"},
    {0x00000220, "PACKAGE_SHARE_PROCESS"}
};

This indicates a 0x200 bitmask associated with packages and a 0xc0 bitmask associated with instances as well.

Related Questions in C++

Related Questions in WINDOWS

Related Questions in SYSTEM-INFORMATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions