VBScript-compares the Registry to find hidden services

System services may be hidden by rootkit, but sometimes we can still find relevant information from the registry. We recommend that you run the command as administrator. Otherwise, some services cannot be listed or an error message is prompted.

Code (checksvr. vbs ):

'On Error Resume NextConst HKEY_LOCAL_MACHINE = & H80000002Set oReg = GetObject ("winmgmts: {impersonationLevel = impersonate }! \\. \ Root \ default: StdRegProv ") strKeyPath =" SYSTEM \ CurrentControlSet \ Services "oReg. enumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeysWscript. echo "Checking, please wait... "Wscript. echo "" For Each subkey In arrSubKeysoReg. getStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\" & subkey, "ObjectName", strValueIf Not (strValue = "") Then 'determines the service. It is faster to use Arrays for comparison? If Not (CheckSvr (subkey) ThenWscript. echo subkey & FormatOutTab (subkey) & strValue & FormatOutTab (strValue) & "[Hidden]" ElseWscript. echo subkey & FormatOutTab (subkey) & strValue & FormatOutTab (strValue) & "[OK]" End IfEnd IfNextWscript. echo "" Wscript. echo "All done. "Wscript. quit (0) Function CheckSvr (strName) Set oWMI = GetObject ("winmgmts:" & "{impersonationLevel = impersonate }! \\. \ Root \ cimv2 ") Set cService = oWMI. execQuery ("Select * from Win32_Service WHERE Name = '" & strName & "'") If (cService. count <> 0) ThenCheckSvr = TrueElseCheckSvr = FalseEnd IfEnd FunctionFunction FormatOutTab (strName) strLen = Len (strName) select Case TrueCase strLen <8 FormatOutTab = vbTab & vbTabCase strLen <16 FormatOutTab = vbTab & vbTabCase strLen <24 FormatOutTab = vbTab & vbTabCase strLen <32 FormatOutTab = vbTab & vbTabCase strLen <40 FormatOutTab = vbTabCase ElseFormatOutTab = vbTabEnd SelectEnd Function

 

Dictionary is much faster:

Dim oDic, oReg, oWmi, arrServicesConst HKEY_LOCAL_MACHINE = &H80000002Wscript.Echo "[*] Checking, please wait ..."Wscript.Echo ""Set oDic = CreateObject("Scripting.Dictionary")Set oWmi = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")Set arrServices = oWmi.ExecQuery("Select * from Win32_Service")For Each strService In arrServicesoDic.Add strService.Name, strService.NameNextSet oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")strKeyPath = "SYSTEM\CurrentControlSet\Services"oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeysFor Each subkey In arrSubKeysoReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\\" & subkey, "ObjectName", strValueIf Not (strValue = "") ThenIf oDic.Exists(subkey) ThenWscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[   OK   ]"ElseWscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ Hidden ]"End IfEnd IfNextoDic.RemoveAllWscript.Echo ""Wscript.Echo "[*] All done."Wscript.Quit (0)Function FormatOutTab(strName)strLen = Len(strName)Select Case TrueCase strLen < 8FormatOutTab =  vbTab & vbTab & vbTab & vbTabCase strLen < 16FormatOutTab =  vbTab & vbTab & vbTabCase strLen < 24FormatOutTab =  vbTab & vbTabCase strLen < 32FormatOutTab =  vbTabCase ElseFormatOutTab =  vbTabEnd SelectEnd Function