Get list serivces in Svchost --> netsvcs. Poor mans Worm Check?

Save to a vbs, I called mine ValidateNetsvcsInfo.vbs

This will attempt to connect to all your machines and compare to a known good service name list. If it doesn't exists then something is up and you should tack action.

wscript.echo "GetNetSvcsInfo Running"

CALL GetNetSvcsInfo("YourMachineName")

wscript.echo "GetNetSvcsInfo Complete"

sub GetNetSvcsInfo(Server)
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = Server

strKnown = "AeLookupSvc, AppMgmt, AudioSrv, BITS, Browser, CryptSvc, DMServer, EventSystem, " & _
"helpsvc, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, " & _
"Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, " & _
"Sacsvr, Schedule, Seclogon, SENS, Sharedaccess, ShellHWDetection, Themes, TrkSvr, " & _
"TrkWks, uploadmgr, W32Time, winmgmt, WmdmPmSN, WmdmPmSp, Wmi, wuauserv, WZCSVC, xmlprov"

strPath = SPLIT(Wscript.ScriptFullName,".")(0) & "_Results.log"

'wscript.echo "winmgmts:\\" & strComputer & "\root\default:StdRegProv"

On Error Resume Next

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
If err.number <> 0 then
WSCRIPT.Echo strComputer & " is offline or access is denied"
WriteText strPath ,strComputer & " is offline or access is denied"
Exit Sub
End If

On Error GOTO 0

strKeyPath = "Software\Microsoft\Windows NT\CurrentVersion\SvcHost"
strValueName = "netsvcs"
oReg.GetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,_

For Each strValue In arrValues
IF LEN(TRIM(strValue)) > 0 THen
IF instr(strKnown,strValue) = 0 THen svList = svList & strValue & vbcrlf

IF LEN(TRIM(svLIst)) > 0 Then
WriteText strPath , strComputer & "--------------------------"
WriteText strPath ,svList
End If

End Sub

Sub WriteText(strFilePath, strText)
Dim objFileSystem, objOutputFile
Dim strOutputFile


' generate a filename base on the script name
strOutputFile = strFilePath

Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objOutputFile = objFileSystem.OPenTextFile(strOutputFile,OPEN_FILE_FOR_APPENDING , TRUE)


Set objFileSystem = Nothing

End Sub

Comments :

0 comments to “Get list serivces in Svchost --> netsvcs. Poor mans Worm Check?”