Adds NSE script for smb-enum-services and its support functions. Closes #987.

2026-01-21 13:49:04 +00:00 · 2017-09-05 18:19:11 +00:00
parent f14ca55a33
commit 8e717e1694
4 changed files with 1196 additions and 3 deletions
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -61,6 +61,7 @@ local smb = require "smb"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
+local unicode = require "unicode"
 _ENV = stdnse.module("msrpc", stdnse.seeall)

 -- The path, UUID, and version for SAMR
@@ -3437,6 +3438,275 @@ function svcctl_queryservicestatus(smbstate, handle, control)
  return true, result
 end

+-- Crafts a marshalled request for sending it to the enumservicestatusw function
+--
+--@param handle          The handle, opened by <code>OpenServiceW</code>.
+--@param typeofservice   The type of services to be enumerated.
+--@param servicestate    The state of the services to be enumerated.
+--@param cbbufsize       The size of the buffer pointed to by the lpServices
+--                       parameter, in bytes.
+--@param lpresumehandle  A pointer to a variable that, on input, specifies the
+--                       starting point of enumeration.
+--@return string         Returns marshalled string with given arguments.
+local function enumservicestatusparams(handle, tyepofservice, servicestate, cbbufsize, lpresumehandle)
+
+  -- [in,ref] policy_handle *handle
+  return msrpctypes.marshall_policy_handle(handle)
+
+  -- [in] uint32 type
+  .. msrpctypes.marshall_int32(tyepofservice, true)
+
+  -- [in] svcctl_ServiceState
+  .. msrpctypes.marshall_int32(servicestate, true)
+
+  -- [in] [range(0,0x40000)] uint32 cbufsize
+  .. msrpctypes.marshall_int32(cbbufsize, true)
+
+  -- [in,out,unique] uint32 *resume_handle
+  .. msrpctypes.marshall_int32_ptr(lpresumehandle, true)
+
+end
+
+-- Unmarshalls the string based on offset.
+--
+--@param arguments The marshalled arguments to extract the data.
+--@param startpos  The start position of the string.
+--@return startpos Returns the strating position of the string.
+--@return string   Returns the unmarshalled string.
+
+-- Unmarshalls ENUM_SERVICE_STATUS structure.
+--
+-- The structure of ENUM_SERVICE_STATUS is as follows:
+--
+-- <code>
+--    typedef struct  {
+--      LPTSTR         lpServiceName
+--      LPTSTR         lpDisplayName
+--      SERVICE_STATUS ServiceStatus
+--    }
+-- </code>
+--
+-- References:
+-- https://msdn.microsoft.com/en-us/library/windows/desktop/ms682651(v=vs.85).aspx
+--
+-- I created this function as a support for svcctl_enumservicesstatusw function.
+-- svcctl_enumservicesstatusw function returns multiple services in the buffer.
+-- In order to remember the starting and ending positions of different unmarshalled
+-- strings and SERVICE_STATUS structs I had to store the previous offset of the
+-- unmarshalled string. This previous offset will be helpful while retrieving the
+-- continous strings from the buffer.
+--
+--@param arguments      The marshalled arguments to extract the data.
+--@param pos            The position within <code>arguments</code>.
+--@return pos           Returns new position in the arguments.
+--@return serviceName   Returns an unmarshalled string.
+--@return displayName   Returns an unmarshalled string.
+--@return serviceStatus Returns table of values
+local function unmarshall_enum_service_status(arguments, pos)
+
+  local _
+  local serviceNameOffset
+  local displayNameOffset
+  local serviceStatus
+  local serviceName
+  local displayName
+
+  pos, serviceNameOffset = msrpctypes.unmarshall_int32(arguments, pos)
+  pos, displayNameOffset = msrpctypes.unmarshall_int32(arguments, pos)
+  pos, serviceStatus = msrpctypes.unmarshall_SERVICE_STATUS(arguments, pos)
+
+  _, serviceName = msrpctypes.unmarshall_lptstr(arguments, serviceNameOffset + 5)
+  _, displayName = msrpctypes.unmarshall_lptstr(arguments, displayNameOffset + 5)
+
+  -- ServiceName and displayName are converted into UTF-8.
+  serviceName = unicode.utf16to8(serviceName)
+  displayName = unicode.utf16to8(displayName)
+
+  -- Since we are converting the string from utf16to8, an extra NULL byte is
+  -- present at the end of the string. These two lines, strip the last character
+  -- or NULL byte from the end of the string.
+  serviceName = string.sub(serviceName, 1, serviceName:len()-1)
+  displayName = string.sub(displayName, 1, displayName:len()-1)
+
+  stdnse.debug2("ServiceName = %s", serviceName)
+  stdnse.debug2("DisplayName = %s", displayName)
+
+  return pos, serviceName, displayName, serviceStatus
+
+end
+
+-- Attempts to retrieve list of services from a remote system.
+--
+-- The structure of EnumServicesStatus is as follows:
+--
+-- <code>
+--    typedef struct {
+--  	  policy_handle *handle,
+--  	  uint32 type,
+--  	  svcctl_ServiceState state,
+--  	  uint8 *service,
+--  	  uint32 offered,
+--  	  uint32 *needed,
+--  	  uint32 *services_returned,
+--  	  uint32 *resume_handle
+--    }
+-- </code>
+--
+-- References:
+-- https://github.com/samba-team/samba/blob/d8a5565ae647352d11d622bd4e73ff4568678a7c/librpc/idl/svcctl.idl
+-- https://msdn.microsoft.com/en-us/library/windows/desktop/ms682637(v=vs.85).aspx
+--
+--@param smbstate The SMB state table.
+--@param handle   The handle, opened by <code>OpenServiceW</code>.
+--@param dwservicetype The type of services to be enumerated.
+--                     Lookup table for dwservicetype is as follows:
+--                       SERVICE_DRIVER - 0x0000000B
+--                       SERVICE_FILE_SYSTEM_DRIVER - 0x00000002
+--                       SERVICE_KERNEL_DRIVER - 0x00000001
+--                       SERVICE_WIN32 - 0x00000030
+--                       SERVICE_WIN32_OWN_PROCESS - 0x00000010 (default)
+--                       SERVICE_WIN32_SHARE_PROCESS - 0x00000020
+--@param dwservicestate The state of the services to be enumerated.
+--                      Lookup table for dwservicetype is as follows:
+--                      SERVICE_ACTIVE - 0x00000001
+--                      SERVICE_INACTIVE - 0x00000002
+--                      SERVICE_STATE_ALL - 0x00000003 (default)
+--@return pos     Returns success or failure.
+--@return output  Returns the list of services running on a remote windows system
+--                with serviceName, displayName and service status structure.
+function svcctl_enumservicesstatusw(smbstate, handle, dwservicetype, dwservicestate)
+  local status
+  local result
+  local arguments
+  local pos
+  local _
+  local serviceName
+  local displayName
+  local serviceStatus
+  local lpservices
+
+  local output = stdnse.output_table()
+
+  local DW_SERVICE_TYPE = dwservicetype or 0x00000010
+  local DW_SERVICE_STATE = dwservicestate or 0x00000003
+
+  arguments = enumservicestatusparams(handle, DW_SERVICE_TYPE, DW_SERVICE_STATE, 0x00, nil)
+
+  -- This call is made only to retrieve the pcbBytesNeeded value.
+  status, result = call_function(smbstate, 0x0e, arguments)
+
+  if status ~= true then
+    return false, result
+  end
+
+  arguments = result["arguments"]
+
+  pos = 1
+
+  -- Since the first call is made to retrieve pcbBytesNeeded, the server returns
+  -- an empty array in the response. The following line of code unpacks an
+  -- empty array.
+  lpservices, pos = string.unpack("<s4", arguments, pos)
+
+  -- [out,ref] [range(0,0x40000)] uint32 *pcbBytesNeeded,
+  pos, result["pcbBytesNeeded"] = msrpctypes.unmarshall_int32(arguments, pos)
+
+  -- Unmarshalls return value.
+  _, result["ReturnValue"] = msrpctypes.unmarshall_int32(arguments, arguments:len()-3)
+
+  -- 0x00 stands for No Error. This message at this stage indicates there are no services.
+  if result["ReturnValue"] == 0x00 then
+    return true, {}
+
+  -- 0x05 stands for Access Denied.
+  elseif result["ReturnValue"] == 0x05 then
+    return false, "Access is denied."
+
+  -- Checks for other error codes expect 0x7a and 0xea.
+  elseif not (result["ReturnValue"] == 0x7A or result["ReturnValue"] == 0xEA) then
+    return false, "Error occurred. Error code = " .. tostring(result["ReturnValue"])
+  end
+
+  ------- Functional calls here are made to retrieve the data -------------------------
+
+  local MAX_BUFFER_SIZE = 0xfa00
+  stdnse.debug3("MAX_BUFFER_SIZE = %d", MAX_BUFFER_SIZE)
+
+  -- Initalizes the lpResumeHandle parameter for the first call.
+  result["lpResumeHandle"] = 0x00
+
+  -- Loop runs until we retrieve all the data into our buffer.
+  repeat
+
+    -- cbbufsize parameter in enumservicestatusparams function *must* have a value
+    -- strictly less than result["pcbBytesNeeded"] retrieved from the above call.
+    --
+    -- If larger value is assigned to result["pcbBytesNeeded"], errored response
+    -- will be returned.
+    arguments = enumservicestatusparams(handle, DW_SERVICE_TYPE, DW_SERVICE_STATE, math.min(result["pcbBytesNeeded"], MAX_BUFFER_SIZE), result["lpResumeHandle"])
+
+    status, result = call_function(smbstate, 0x0e, arguments)
+
+    if status ~= true then
+      return false, result
+    end
+
+    arguments = result["arguments"]
+
+    -- Caches length for future use.
+    local length = arguments:len()
+
+    -- Last 4 bytes returns the return value.
+    _, result["ReturnValue"] = msrpctypes.unmarshall_int32(arguments, length - 3)
+    stdnse.debug("ReturnValue = %d", result["ReturnValue"])
+
+    -- Next last 8 bytes returns the lpResumeHandle.
+    _, result["lpResumeHandle"] = msrpctypes.unmarshall_int32_ptr(arguments, length - 11)
+    stdnse.debug("lpResumeHandle = %d", result["lpResumeHandle"])
+
+    -- Next last 4 bytes returns the number of services returned.
+    _, result["lpServicesReturned"] = msrpctypes.unmarshall_int32(arguments, length - 15)
+    stdnse.debug("lpServicesReturned = %d", result["lpServicesReturned"])
+
+    -- Next last 4 bytes returns the pcbBytesNeeded or pcbBytes left for next iteration.
+    _, result["pcbBytesNeeded"] = msrpctypes.unmarshall_int32(arguments, length - 19)
+    stdnse.debug("pcbBytesNeeded = %d", result["pcbBytesNeeded"])
+
+    -- Since we are receiving the length of arguments in the beginning of the buffer,
+    -- we have to exclude those bytes from our decoding functions.
+    -- The size of the buffer will be uint32 which is of 4 bytes and hence we
+    -- take the starting position as 5 for unmarshalling purposes.
+    pos = 5
+
+    -- Initializes local variables for future use.
+    local count = result["lpServicesReturned"]
+
+    -- Executes the loop until all the services are unmarshalled.
+    repeat
+
+      pos, serviceName, displayName, serviceStatus = unmarshall_enum_service_status(arguments, pos)
+
+      local t = stdnse.output_table()
+      t["display_name"] = displayName
+      t["state"] = serviceStatus["state"]
+      t["type"] = serviceStatus["type"]
+      t["controls_accepted"] = serviceStatus["controls_accepted"]
+
+      -- Stores the result in a table.
+      output[serviceName] = t
+
+      count = count - 1
+
+    until count < 1
+
+  until result["pcbBytesNeeded"] == 0
+
+  stdnse.debug3("MSRPC: EnumServiceStatus() returned successfully")
+
+  return true, output
+
+end
+
 ---Calls the function <code>JobAdd</code>, which schedules a process to be run
 -- on the remote machine.
 --
--- a/nselib/msrpctypes.lua
+++ b/nselib/msrpctypes.lua
@@ -4438,10 +4438,15 @@ end]]--

 local svcctl_State =
 {
-  SERVICE_STATE_ACTIVE   = 0x01,
-  SERVICE_STATE_INACTIVE = 0x02,
-  SERVICE_STATE_ALL      = 0x03
+  SERVICE_STOPPED          = 0x01,
+  SERVICE_START_PENDING    = 0x02,
+  SERVICE_STOP_PENDING     = 0x03,
+  SERVICE_RUNNING          = 0x04,
+  SERVICE_CONTINUE_PENDING = 0x05,
+  SERVICE_PAUSE_PENDING    = 0x06,
+  SERVICE_PAUSED           = 0x07,
 }
+
 ---Marshall a <code>svcctl_State</code>. This datatype is tied to the table above with that
 -- name.
 --
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -457,6 +457,7 @@ Entry { filename = "smb-double-pulsar-backdoor.nse", categories = { "malware", "
 Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "smb-enum-services.nse", categories = { "discovery", "intrusive", "safe", } }
 Entry { filename = "smb-enum-sessions.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "smb-enum-shares.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "smb-enum-users.nse", categories = { "auth", "intrusive", } }
--- a/scripts/smb-enum-services.nse
+++ b/scripts/smb-enum-services.nse
@@ -0,0 +1,917 @@
+local msrpc = require "msrpc"
+local smb = require "smb"
+local stdnse = require "stdnse"
+local shortport = require "shortport"
+
+description = [[
+Retrieves the list of services running on a remote Windows system.
+Each service attribute contains service name, display name and service status of
+each service.
+
+Note: Modern Windows systems requires a privileged domain account in order to
+list the services.
+
+References:
+* https://technet.microsoft.com/en-us/library/bb490995.aspx
+* https://en.wikipedia.org/wiki/Windows_service
+]]
+
+---
+-- @usage
+-- nmap --script smb-enum-services.nse -p445 <host>
+-- nmap --script smb-enum-services.nse --script-args smbusername=<username>,smbpass=<password> -p445 <host>
+--
+-- @output
+-- | smb-enum-services:
+-- |
+-- |   ALG:
+-- |     display_name: Application Layer Gateway Service
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   ClipSrv:
+-- |     display_name: ClipBook
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   COMSysApp:
+-- |     display_name: COM+ System Application
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   Dfs:
+-- |     display_name: Distributed File System
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   ImapiService:
+-- |     display_name: IMAPI CD-Burning COM Service
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   IsmServ:
+-- |     display_name: Intersite Messaging
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   LicenseService:
+-- |     display_name: License Logging
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   mnmsrvc:
+-- |     display_name: NetMeeting Remote Desktop Sharing
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   MSDTC:
+-- |     display_name: Distributed Transaction Coordinator
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_INTERROGATE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_PARAMCHANGE
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   NtFrs:
+-- |     display_name: File Replication
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   RDSessMgr:
+-- |     display_name: Remote Desktop Help Session Manager
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   rpcapd:
+-- |     display_name: Remote Packet Capture Protocol v.0 (experimental)
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   RpcLocator:
+-- |     display_name: Remote Procedure Call (RPC) Locator
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   Spooler:
+-- |     display_name: Print Spooler
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_INTERROGATE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_PARAMCHANGE
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   swprv:
+-- |     display_name: Microsoft Software Shadow Copy Provider
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   SysmonLog:
+-- |     display_name: Performance Logs and Alerts
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   TlntSvr:
+-- |     display_name: Telnet
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   TPVCGateway:
+-- |     display_name: TP VC Gateway Service
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   Tssdis:
+-- |     display_name: Terminal Services Session Directory
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   UMWdf:
+-- |     display_name: Windows User Mode Driver Framework
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   UPS:
+-- |     display_name: Uninterruptible Power Supply
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   vds:
+-- |     display_name: Virtual Disk Service
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   VGAuthService:
+-- |     display_name: VMware Alias Manager and Ticket Service
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   VMTools:
+-- |     display_name: VMware Tools
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_INTERROGATE
+-- |       SERVICE_CONTROL_NETBINDDISABLE
+-- |       SERVICE_CONTROL_PAUSE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_PARAMCHANGE
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   vmvss:
+-- |     display_name: VMware Snapshot Provider
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   VMware Physical Disk Helper Service:
+-- |     display_name: VMware Physical Disk Helper Service
+-- |     state:
+-- |       SERVICE_PAUSE_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_RUNNING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |       SERVICE_CONTROL_CONTINUE
+-- |       SERVICE_CONTROL_NETBINDADD
+-- |       SERVICE_CONTROL_STOP
+-- |       SERVICE_CONTROL_NETBINDENABLE
+-- |   VSS:
+-- |     display_name: Volume Shadow Copy
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |     controls_accepted:
+-- |
+-- |   WmiApSrv:
+-- |     display_name: WMI Performance Adapter
+-- |     state:
+-- |       SERVICE_STOPPED
+-- |       SERVICE_STOP_PENDING
+-- |       SERVICE_CONTINUE_PENDING
+-- |       SERVICE_PAUSED
+-- |     type:
+-- |       SERVICE_TYPE_WIN32
+-- |       SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |_    controls_accepted:
+--
+-- @xmloutput
+--
+-- <table key="ALG">
+-- <elem key="display_name">Application Layer Gateway Service</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- </table>
+-- </table>
+-- <table key="ClipSrv">
+-- <elem key="display_name">ClipBook</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="COMSysApp">
+-- <elem key="display_name">COM+ System Application</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- </table>
+-- </table>
+-- <table key="Dfs">
+-- <elem key="display_name">Distributed File System</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="ImapiService">
+-- <elem key="display_name">IMAPI CD-Burning COM Service</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="IsmServ">
+-- <elem key="display_name">Intersite Messaging</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="LicenseService">
+-- <elem key="display_name">License Logging</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="mnmsrvc">
+-- <elem key="display_name">NetMeeting Remote Desktop Sharing</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="MSDTC">
+-- <elem key="display_name">Distributed Transaction Coordinator</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_INTERROGATE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- <elem>SERVICE_CONTROL_PARAMCHANGE</elem>
+-- </table>
+-- </table>
+-- <table key="NtFrs">
+-- <elem key="display_name">File Replication</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="RDSessMgr">
+-- <elem key="display_name">Remote Desktop Help Session Manager</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="rpcapd">
+-- <elem key="display_name">Remote Packet Capture Protocol v.0 (experimental)</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="RpcLocator">
+-- <elem key="display_name">Remote Procedure Call (RPC) Locator</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="Spooler">
+-- <elem key="display_name">Print Spooler</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_INTERROGATE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- <elem>SERVICE_CONTROL_PARAMCHANGE</elem>
+-- </table>
+-- </table>
+-- <table key="swprv">
+-- <elem key="display_name">Microsoft Software Shadow Copy Provider</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="SysmonLog">
+-- <elem key="display_name">Performance Logs and Alerts</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="TlntSvr">
+-- <elem key="display_name">Telnet</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="TPVCGateway">
+-- <elem key="display_name">TP VC Gateway Service</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="Tssdis">
+-- <elem key="display_name">Terminal Services Session Directory</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="UMWdf">
+-- <elem key="display_name">Windows User Mode Driver Framework</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="UPS">
+-- <elem key="display_name">Uninterruptible Power Supply</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="vds">
+-- <elem key="display_name">Virtual Disk Service</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="VGAuthService">
+-- <elem key="display_name">VMware Alias Manager and Ticket Service</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- </table>
+-- </table>
+-- <table key="VMTools">
+-- <elem key="display_name">VMware Tools</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_INTERROGATE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDDISABLE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- <elem>SERVICE_CONTROL_PAUSE</elem>
+-- <elem>SERVICE_CONTROL_PARAMCHANGE</elem>
+-- </table>
+-- </table>
+-- <table key="vmvss">
+-- <elem key="display_name">VMware Snapshot Provider</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="VMware Physical Disk Helper Service">
+-- <elem key="display_name">VMware Physical Disk Helper Service</elem>
+-- <table key="state">
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_PAUSE_PENDING</elem>
+-- <elem>SERVICE_RUNNING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- <elem>SERVICE_CONTROL_NETBINDADD</elem>
+-- <elem>SERVICE_CONTROL_CONTINUE</elem>
+-- <elem>SERVICE_CONTROL_NETBINDENABLE</elem>
+-- <elem>SERVICE_CONTROL_STOP</elem>
+-- </table>
+-- </table>
+-- <table key="VSS">
+-- <elem key="display_name">Volume Shadow Copy</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+-- <table key="WmiApSrv">
+-- <elem key="display_name">WMI Performance Adapter</elem>
+-- <table key="state">
+-- <elem>SERVICE_STOPPED</elem>
+-- <elem>SERVICE_PAUSED</elem>
+-- <elem>SERVICE_STOP_PENDING</elem>
+-- <elem>SERVICE_CONTINUE_PENDING</elem>
+-- </table>
+-- <table key="type">
+-- <elem>SERVICE_TYPE_WIN32_OWN_PROCESS</elem>
+-- <elem>SERVICE_TYPE_WIN32</elem>
+-- </table>
+-- <table key="controls_accepted">
+-- </table>
+-- </table>
+
+author = "Rewanth Cool"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery","intrusive","safe"}
+
+portrule = shortport.port_or_service({445, 139}, "microsoft-ds", "tcp", "open")
+
+action = function(host, port)
+
+  local open_result
+  local close_result
+  local bind_result
+  local result
+
+  local status, smbstate = msrpc.start_smb(host, msrpc.SVCCTL_PATH)
+  status, bind_result = msrpc.bind(smbstate, msrpc.SVCCTL_UUID, msrpc.SVCCTL_VERSION, nil)
+
+  if(status == false) then
+    smb.stop(smbstate)
+    return nil, stdnse.format_output(false, bind_result)
+  end
+
+  -- Open the service manager
+  stdnse.debug2("Opening the remote service manager")
+
+  status, open_result = msrpc.svcctl_openscmanagerw(smbstate, host.ip)
+
+  if(status == false) then
+    smb.stop(smbstate)
+    return nil, stdnse.format_output(false, open_result)
+  end
+
+
+  --@param dwservicetype The type of services to be enumerated.
+  --                     Lookup table for dwservicetype is as follows:
+  --                       SERVICE_DRIVER - 0x0000000B
+  --                       SERVICE_FILE_SYSTEM_DRIVER - 0x00000002
+  --                       SERVICE_KERNEL_DRIVER - 0x00000001
+  --                       SERVICE_WIN32 - 0x00000030
+  --                       SERVICE_WIN32_OWN_PROCESS - 0x00000010 (default)
+  --                       SERVICE_WIN32_SHARE_PROCESS - 0x00000020
+  local dwservicetype = 0x00000010
+
+  --@param dwservicestate The state of the services to be enumerated.
+  --                      Lookup table for dwservicetype is as follows:
+  --                      SERVICE_ACTIVE - 0x00000001
+  --                      SERVICE_INACTIVE - 0x00000002
+  --                      SERVICE_STATE_ALL - 0x00000003 (default)
+  local dwservicestate = 0x00000001
+
+  -- Fetches service name, display name and service status of every service.
+  status, result = msrpc.svcctl_enumservicesstatusw(smbstate, open_result["handle"], dwservicetype, dwservicestate)
+
+  if(status == false) then
+    smb.stop(smbstate)
+    return nil, stdnse.format_output(false, result)
+  end
+
+  -- Close the service manager
+  stdnse.debug2("Closing the remote service manager")
+
+  status, close_result = msrpc.svcctl_closeservicehandle(smbstate, open_result['handle'])
+
+  smb.stop(smbstate)
+
+  return result
+
+end