Documentation

Detailed Description

Enumerate-ServicesAndAcls enumerates Windows services using CIM and returns one PSCustomObject per service.

For each service, the script:

• Collects core service metadata such as name, display name, state, start mode, logon account, and raw binary path.
• Parses the executable path from the service PathName, including quoted and unquoted formats.
• Detects potentially risky unquoted service paths.
• Retrieves the service security descriptor definition language (SDDL) using sc.exe sdshow.
• Checks whether the referenced executable exists on disk.
• Reads the file ACL for the executable and summarizes ACEs.
• Flags whether the executable appears writable by the current user.
• Flags whether the executable appears writable by well-known broad-access groups such as Everyone, Users, or Authenticated Users.

The function outputs only PowerShell objects and does not serialize to JSON internally.

Parameters

Example Output

[
  {
    "Name": "Spooler",
    "DisplayName": "Print Spooler",
    "State": "Running",
    "StartMode": "Auto",
    "StartName": "LocalSystem",
    "PathName": "C:\\Windows\\System32\\spoolsv.exe",
    "Executable": "C:\\Windows\\System32\\spoolsv.exe",
    "ExecutableExists": true,
    "UnquotedPath": false,
    "ServiceSDDL": "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)...",
    "FileAclsSummary": "NT AUTHORITY\\SYSTEM: FullControl Allow Inherited:True; BUILTIN\\Administrators: FullControl Allow Inherited:True",
    "ExecutableWritableByCurrentUser": false,
    "ExecutableWritableByWellKnownGroups": false
  }
]