services.exe

services.exe is started by wininit.exe early in boot and runs in session 0 as NT AUTHORITY\SYSTEM from C:\Windows\System32\services.exe. Exactly one instance runs at a time, and it stays up for the life of the machine.

services.exe maintains a database of installed services and their configurations, kept under HKLM\SYSTEM\CurrentControlSet\Services, and loads them according to their startup settings (automatic, manual, delayed, or disabled). When the system boots, it starts the services marked to run automatically, and throughout the session it responds to requests to start or stop services on demand, whether they come from the Services console, sc.exe, or an API call.

Beyond simply launching services, it monitors their state and can take recovery actions if a service fails, such as restarting it according to its configured recovery options. Underneath the SCM it implements the Unified Background Process Manager (UBPM), which drives both services and scheduled tasks. Because it starts every service, its children are the service processes themselves: the many svchost.exe instances, spoolsv.exe, and whatever third-party service binaries are installed. Every child should map back to an installed service.

services.exe is also what marks a boot as successful. Once a user logs on interactively, the SCM copies the current configuration into the Last Known Good control set (HKLM\SYSTEM\Select\LastKnownGood points at the validated CurrentControlSet), the configuration Windows falls back to after a failed boot.

The genuine services.exe is a trusted, signed Microsoft system file that is essential to normal operation. It should never be removed or disabled, and terminating it will crash the system, since the entire services infrastructure depends on it.

Because of its trusted status and central role, services.exe is a frequent target for impersonation by malware hoping to hide among legitimate processes (T1036.005). A legitimate copy always resides in C:\Windows\System32 and carries a valid Microsoft digital signature. Treat copies found in other locations, slight misspellings such as service.exe, servicess.exe, or sevices.exe, and any second instance as anomalies, since exactly one ever runs.

The more common way to abuse services.exe is to give it something malicious to run. Installing or modifying a service is a long-standing persistence and privilege escalation technique (T1543.003): the service runs as SYSTEM, starts automatically, and appears in the process tree under a legitimate parent. Review new services whose binary lives outside Program Files or System32, or whose configuration invokes an interpreter such as cmd.exe or powershell.exe.

Remote admin tools ride the same mechanism. PsExec and its clones install a temporary service to execute commands on a remote machine (T1569.002), which shows up as an unfamiliar child of services.exe, classically psexesvc.exe. The same pattern from a tool the admins didn't deploy points to lateral movement.