Windows Service

The Windows Service object describes a Windows service.

Attributes

Caption	Name	Type	Description
Command Line	`cmd_line`	String	The full command line used to launch the service. 🚧 WARNING: DEPRECATED Command Line has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
File	`file`	File[]	The service file object. 🚧 WARNING: DEPRECATED File has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Labels	`labels`	String[]	The list of labels associated with the service.
Load Order Group	`load_order_group`	String	The name of the load ordering group of which this service is a member.
Loaded Module	`loaded_module_name`	String	The name of the module loaded by the service. 🚧 WARNING: DEPRECATED Loaded Module has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Name	`name`	String	The unique name of the service.
Raw Data	`raw_data`	JSON	The event data as received from the event source.
Record ID	`record_id`	String	Unique identifier for the object
Run State	`run_state`	String	The service run state. 🚧 WARNING: DEPRECATED Run State has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Run State ID	`run_state_id`	Integer	The service run state ID. 🚧 WARNING: DEPRECATED Run State ID has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `-1`: Other (`OTHER`) `0`: Unknown (`UNKNOWN`) `1`: Stopped (`STOPPED`) `2`: Start Pending (`START_PENDING`) `3`: Stop Pending (`STOP_PENDING`) `4`: Running (`RUNNING`) `5`: Continue Pending (`CONTINUE_PENDING`) `6`: Pause Pending (`PAUSE_PENDING`) `7`: Paused (`PAUSED`) `99`: Other (`OTHER`)
Service Category	`service_category`	String	The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.
Service Category ID	`service_category_id`	Integer	The normalized identifier of the service category. `0`: Unknown (`UNKNOWN`) `1`: Kernel Mode (`KERNEL_MODE`) `2`: User Mode (`USER_MODE`) `99`: Other (`OTHER`)
Service Dependencies	`service_dependencies`	String[]	The names of other services upon which this service has a dependency.
Service Error Control	`service_error_control`	String	The service error control, normalized to the caption of the `service_error_control_id` value. In the case of 'Other', it is defined by the event source.
Service Error Control ID	`service_error_control_id`	Integer	The normalized identifier of the service error control. `0`: Unknown (`UNKNOWN`) `1`: Ignore (`IGNORE`) `2`: Normal (`NORMAL`) `3`: Severe (`SEVERE`) `4`: Critical (`CRITICAL`) `99`: Other (`OTHER`)
Service Start Name	`service_start_name`	String	For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.
Service Start Type	`service_start_type`	String	The service start type, normalized to the caption of the `service_start_type_id` value. In the case of 'Other', it is defined by the event source.
Service Start Type ID	`service_start_type_id`	Integer	The normalized identifier of the service start type. `0`: Unknown (`UNKNOWN`) `1`: Boot (`BOOT`) `2`: System (`SYSTEM`) `3`: Auto (`AUTO`) `4`: Demand (`DEMAND`) `5`: Disabled (`DISABLED`) `99`: Other (`OTHER`)
Service Type	`service_type`	String	The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.
Service Type ID	`service_type_id`	Integer	The normalized identifier of the service type. `0`: Unknown (`UNKNOWN`) `1`: Kernel Driver (`KERNEL_DRIVER`) `2`: File System Driver (`FILE_SYSTEM_DRIVER`) `3`: Own Process (`OWN_PROCESS`) `4`: Share Process (`SHARE_PROCESS`) `99`: Other (`OTHER`)
Start Type	`start_type`	String	The service start type. 🚧 WARNING: DEPRECATED Start Type has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Start Type ID	`start_type_id`	Integer	The service start type ID. 🚧 WARNING: DEPRECATED Start Type ID has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `-1`: Other (`OTHER`) `0`: Unknown (`UNKNOWN`) `1`: Auto (`AUTO`) `10`: System Changed (`SYSTEM_CHANGED`) `2`: Boot (`BOOT`) `3`: Demand (`DEMAND`) `4`: System (`SYSTEM`) `5`: Disabled (`DISABLED`) `6`: All Logins (`ALL_LOGINS`) `7`: Specific User Login (`SPECIFIC_USER_LOGIN`) `8`: Interactive Login (`INTERACTIVE_LOGIN`) `9`: Scheduled (`SCHEDULED`)
Type IDs	`type_ids`	Integer[]	The service type identifiers. 🚧 WARNING: DEPRECATED Type IDs has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `-1`: Other (`OTHER`) `0`: Unknown (`UNKNOWN`) `1`: Adapter (`ADAPTER`) `2`: File System Driver (`FILE_SYSTEM_DRIVER`) `3`: Kernel Driver (`KERNEL_DRIVER`) `4`: Recognized Driver (`RECOGNIZED_DRIVER`) `5`: Own Process (`OWN_PROCESS`) `6`: Shared Process (`SHARED_PROCESS`) `7`: Interactive (`INTERACTIVE`) `8`: Other (`OTHER`) `9`: Autoload (`AUTOLOAD`)
Types	`types`	String[]	The service types. 🚧 WARNING: DEPRECATED Types has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Unique ID	`uid`	String	The unique identifier of the service.
Unmapped Data	`unmapped`	Unmapped[]	The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Version	`version`	String	The version of the service.

Relationships

Inbound Relationships

These objects and events reference Windows Service in their attributes:

Outbound Relationships

Windows Service references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0