Audit and Remediation: Why Are Some User Accounts Missing When Querying the Services Table?
search cancel

Audit and Remediation: Why Are Some User Accounts Missing When Querying the Services Table?

book

Article ID: 289837

calendar_today

Updated On:

Products

Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)

Issue/Introduction

Why do queries where user_account is retrieved from the services table return blank values for some Windows services?

Environment

  • Audit and Remediation Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

Instances of per-user services are not populated with user account metadata in Windows.

Additional Information

  • This missing metadata can be verified in services.msc by reviewing the impacted service under Properties > Log On > User Account or in regedit.msc by checking for an ObjectName value for the service under Computer\HKLM\SYSTEM\CurrentControlSet\Services.
  • Windows assigns unique names to per-user services by adding the logon session LUID as a suffix (e.g. CaptureService_123ab).
Powered by Wolken Software