#####aid_begin
#description: fetch the information of currentcontrolset services
#id: aid2112302027
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgregistry
#notes: |-
#  the hklm\system\currentcontrolset\services registry tree stores information about each service on the system. each driver has a key of the form hklm\system\currentcontrolset\services\drivername. the pnp manager passes this path of a driver in the registrypath parameter when it calls the driver's driverentry routine. a driver can store global driver-defined data under the parameters subkey of its key in the services tree. information that is stored under this key is available to the driver during its initialization.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\SYSTEM\CurrentControlSet\Services" -MatchValueName -Pattern 'ImagePath'