Services.exe is part of the Service Control Manager (SCM) system that is responsible for managing and interacting with Windows Service processes. Services interact with SCM through an API and that same API is used by other service management tools such as sc.exe.
EchoTrail Prevalence Score (EPS)


Rank Analysis
Host Prevalence


Execution Rank


Behavioral Analysis
Top Filenames
Top Paths
Top Network Ports
Ancestry Analysis
Top GrandParents
Top Children
Security Analysis
Look at the typical parents of services.exe. It should only ever be launched by wininit.exe. Having knowledge of the typical parents and children of a process can help identify cases where a process may be acting maliciously. If you see services.exe being launched by something other than wininit.exe in your environment, it’s definitely worth investigating for signs of other malicious behavior. Also if the version of services.exe running in your environment doesn’t match one of the common hashes, it’s likely to be a malicious process running under the name of a common windows process, services.exe in this case, to fly under the radar and avoid being noticed.

Services.exe should never launch a shell (i.e. CMD, PowerShell, MSBuild, Linux subsystem). However, this scenario has historically been the case in targeted attacks and penetration tests. Initial response should include looking for further suspicious activity from the command shell tree as well as inquiring of the system owner or administrator if this activity is expected.