Windows Service
win_service
The Windows Service object describes a Windows service.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Command Line | cmd_line | String |
The full command line used to launch the service.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| File | file | File |
The service file object.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Labels | labels | String | The list of labels associated with the service. | ||
| Load Order Group | load_order_group | String | The name of the load ordering group of which this service is a member. | ||
| Loaded Module | loaded_module_name | String |
The name of the module loaded by the service.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Name | name | String | The unique name of the service. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Run State | run_state | String |
The service run state.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Run State ID | run_state_id | Integer |
The service run state ID.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
|
||
| Service Category | service_category | String | The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source. | ||
| Service Category ID | service_category_id | Integer |
The normalized identifier of the service category.
|
||
| Service Dependencies | service_dependencies | String | The names of other services upon which this service has a dependency. | ||
| Service Error Control | service_error_control | String |
The service error control, normalized to the caption of the service_error_control_id value. In the case of 'Other', it is defined by the event source.
|
||
| Service Error Control ID | service_error_control_id | Integer |
The normalized identifier of the service error control.
|
||
| Service Start Name | service_start_name | String | For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver. | ||
| Service Start Type | service_start_type | String |
The service start type, normalized to the caption of the service_start_type_id value. In the case of 'Other', it is defined by the event source.
|
||
| Service Start Type ID | service_start_type_id | Integer |
The normalized identifier of the service start type.
|
||
| Service Type | service_type | String | The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source. | ||
| Service Type ID | service_type_id | Integer |
The normalized identifier of the service type.
|
||
| Start Type | start_type | String |
The service start type.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Start Type ID | start_type_id | Integer |
The service start type ID.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
|
||
| Type IDs | type_ids | Integer |
The service type identifiers.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
|
||
| Types | types | String |
The service types.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Unique ID | uid | String | The unique identifier of the service. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Version | version | String | The version of the service. |
Referenced By
Context
JSON
{
"caption": "Windows Service",
"description": "The Windows Service object describes a Windows service.",
"extends": "service",
"name": "win_service",
"attributes": {
"name": {
"description": "The unique name of the service.",
"requirement": "required",
"caption": "Name",
"type": "string_t"
},
"cmd_line": {
"description": "The full command line used to launch the service.",
"requirement": "recommended",
"caption": "Command Line",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
},
"observable": 13
},
"load_order_group": {
"requirement": "recommended",
"caption": "Load Order Group",
"description": "The name of the load ordering group of which this service is a member.",
"type": "string_t"
},
"service_category": {
"requirement": "optional",
"caption": "Service Category",
"description": "The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"service_category_id": {
"requirement": "recommended",
"caption": "Service Category ID",
"description": "The normalized identifier of the service category.",
"sibling": "service_category",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The service category is unknown."
},
"1": {
"caption": "Kernel Mode",
"description": "A kernel mode driver."
},
"2": {
"caption": "User Mode",
"description": "A user mode service."
},
"99": {
"caption": "Other",
"description": "The service category is not mapped. See the <code>service_category</code> attribute, which contains an event source specific value."
}
}
},
"service_dependencies": {
"requirement": "recommended",
"caption": "Service Dependencies",
"description": "The names of other services upon which this service has a dependency.",
"type": "string_t",
"is_array": true
},
"service_error_control": {
"requirement": "optional",
"caption": "Service Error Control",
"description": "The service error control, normalized to the caption of the <code>service_error_control_id</code> value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"service_error_control_id": {
"requirement": "recommended",
"caption": "Service Error Control ID",
"description": "The normalized identifier of the service error control.",
"sibling": "service_error_control",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The service error control is unknown."
},
"1": {
"caption": "Ignore",
"description": "The startup program ignores the error and continues the startup operation."
},
"2": {
"caption": "Normal",
"description": "The startup program logs the error in the event log but continues the startup operation."
},
"3": {
"caption": "Severe",
"description": "The startup program logs the error in the event log. If the last-known-good configuration is being started, the startup operation continues. Otherwise, the system is restarted with the last-known-good configuration."
},
"4": {
"caption": "Critical",
"description": "The startup program logs the error in the event log, if possible. If the last-known-good configuration is being started, the startup operation fails. Otherwise, the system is restarted with the last-known good configuration."
},
"99": {
"caption": "Other",
"description": "The service error control is not mapped. See the <code>service_error_control</code> attribute, which contains an event source specific value."
}
}
},
"service_start_name": {
"requirement": "recommended",
"caption": "Service Start Name",
"description": "For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.",
"type": "string_t"
},
"service_start_type": {
"requirement": "optional",
"caption": "Service Start Type",
"description": "The service start type, normalized to the caption of the <code>service_start_type_id</code> value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"service_start_type_id": {
"requirement": "recommended",
"caption": "Service Start Type ID",
"description": "The normalized identifier of the service start type.",
"sibling": "service_start_type",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The service start type is unknown."
},
"1": {
"caption": "Boot",
"description": "A kernel mode driver loaded at boot."
},
"2": {
"caption": "System",
"description": "A kernel mode driver loaded during system startup."
},
"3": {
"caption": "Auto",
"description": "A user mode service started automatically during system startup."
},
"4": {
"caption": "Demand",
"description": "A user mode service started on demand when a process calls <code>StartService</code>."
},
"5": {
"caption": "Disabled",
"description": "A driver or service that cannot be started."
},
"99": {
"caption": "Other",
"description": "The service start type is not mapped. See the <code>service_start_type</code> attribute, which contains an event source specific value."
}
}
},
"service_type": {
"requirement": "optional",
"caption": "Service Type",
"description": "The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"service_type_id": {
"requirement": "recommended",
"caption": "Service Type ID",
"description": "The normalized identifier of the service type.",
"sibling": "service_type",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The service type is unknown."
},
"1": {
"caption": "Kernel Driver",
"description": "A kernel mode driver."
},
"2": {
"caption": "File System Driver",
"description": "A kernel mode file system minifilter."
},
"3": {
"caption": "Own Process",
"description": "A user mode service that runs in its own process."
},
"4": {
"caption": "Share Process",
"description": "A user mode service that shares a process with other services."
},
"99": {
"caption": "Other",
"description": "The service type is not mapped. See the <code>service_type</code> attribute, which contains an event source specific value."
}
}
},
"labels": {
"description": "The list of labels associated with the service.",
"requirement": "optional",
"caption": "Labels",
"type": "string_t",
"is_array": true
},
"uid": {
"description": "The unique identifier of the service.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"version": {
"description": "The version of the service.",
"requirement": "recommended",
"caption": "Version",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"types": {
"description": "The service types.",
"requirement": "optional",
"caption": "Types",
"is_array": true,
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"run_state": {
"description": "The service run state.",
"requirement": "optional",
"caption": "Run State",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"run_state_id": {
"description": "The service run state ID.",
"requirement": "required",
"enum": {
"0": {
"caption": "Unknown",
"description": "The service run state is unknown."
},
"1": {
"caption": "Stopped",
"description": "The service is not running."
},
"2": {
"caption": "Start Pending",
"description": "The service is starting."
},
"3": {
"caption": "Stop Pending",
"description": "The service is stopping."
},
"4": {
"caption": "Running",
"description": "The service is running."
},
"5": {
"caption": "Continue Pending",
"description": "The service continue is pending."
},
"6": {
"caption": "Pause Pending",
"description": "The service pause is pending."
},
"7": {
"caption": "Paused",
"description": "The service is paused."
},
"-1": {
"caption": "Other",
"description": "The service run state is other."
},
"99": {
"caption": "Other",
"description": "The run state is not mapped. See the <code>run_state</code> attribute, which contains a data source specific value."
}
},
"caption": "Run State ID",
"sibling": "run_state",
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"start_type_id": {
"description": "The service start type ID.",
"requirement": "required",
"caption": "Start Type ID",
"enum": {
"-1": {
"caption": "Other",
"description": "The start type is not mapped. See the <code>start_type</code> attribute, which contains a data source specific value."
},
"0": {
"caption": "Unknown",
"description": "The startup type is unknown."
},
"1": {
"caption": "Auto",
"description": "Started automatically during system startup."
},
"10": {
"caption": "System Changed",
"description": "Started when a system item, such as a file or registry key, changes."
},
"2": {
"caption": "Boot",
"description": "Started by the system loader."
},
"3": {
"caption": "Demand",
"description": "Started on demand. For example, by the Window service control manager when a process calls the <i>StartService</i> function."
},
"4": {
"caption": "System",
"description": "Started by the <i>IoInitSystem</i> function."
},
"5": {
"caption": "Disabled",
"description": "Disabled."
},
"6": {
"caption": "All Logins",
"description": "Started on any user login."
},
"7": {
"caption": "Specific User Login",
"description": "Started when on a specific user login."
},
"8": {
"caption": "Interactive Login",
"description": "Started on interactive logins."
},
"9": {
"caption": "Scheduled",
"description": "Stared according to a schedule."
}
},
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"start_type": {
"description": "The service start type.",
"requirement": "optional",
"caption": "Start Type",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"file": {
"description": "The service file object.",
"requirement": "required",
"caption": "File",
"type": "file",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"loaded_module_name": {
"requirement": "recommended",
"caption": "Loaded Module",
"description": "The name of the module loaded by the service.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"type_ids": {
"description": "The service type identifiers.",
"requirement": "required",
"caption": "Type IDs",
"enum": {
"-1": {
"caption": "Other",
"description": "The service type is not mapped. See the <code>types</code> attribute, which contains a data source specific values."
},
"0": {
"caption": "Unknown",
"description": "The type is unknown"
},
"1": {
"caption": "Adapter",
"description": "Adapter"
},
"2": {
"caption": "File System Driver",
"description": "File system driver"
},
"3": {
"caption": "Kernel Driver",
"description": "Device driver"
},
"4": {
"caption": "Recognized Driver",
"description": "Recognized Driver"
},
"5": {
"caption": "Own Process",
"description": "The application runs in its own process"
},
"6": {
"caption": "Shared Process",
"description": "The application shares a process with other services"
},
"7": {
"caption": "Interactive",
"description": "The service can interact with the desktop"
},
"8": {
"caption": "Other",
"description": "U/X, OS X service"
},
"9": {
"caption": "Autoload",
"description": "The Mac OS X Autoload Application"
}
},
"is_array": true,
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
}
},
"constraints": {
"at_least_one": [
"cmd_line",
"service_category_id",
"service_dependencies",
"service_error_control_id",
"service_start_name",
"service_start_type_id",
"service_type_id"
]
},
"extension": "windows"
}