您如何找到Windows服务的“最后修改日期”？

If you have a compromised Windows system and want to analyze when services were installed or modified, then how do you do that? Today’s SuperUser Q&A post has the answers to a curious reader’s question.

如果您的Windows系统受到感染，并且想分析何时安装或修改了服务，那么该怎么做？ 今天的“超级用户问答”帖子回答了一个好奇的读者的问题。

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

今天的“问答”环节由SuperUser提供，它是Stack Exchange的一个分支，该社区是由社区驱动的Q＆A网站分组。

Notepad screenshot courtesy of Flyk (SuperUser).

记事本屏幕截图由Flyk(SuperUser)提供 。

问题 (The Question)

SuperUser reader Lucas Kauffman wants to know how to find the Creation Date (or Last Modified Date) for services in Windows:

超级用户读者Lucas Kauffman想知道如何为Windows中的服务查找创建日期 (或上次修改日期 )：

If you have a compromised operating system that you are trying to analyze for newly installed services or when services were installed, how do you do that? Where can I find the Creation Date for a particular service in the Windows registry?

如果您有一个受损的操作系统试图分析新安装的服务或安装服务的时间，那么该怎么做？ 在Windows注册表中，哪里可以找到特定服务的创建日期 ？

How do you find the Creation Date or Last Modified Date for services in Windows?

如何在Windows中找到服务的创建日期或上次修改日期 ？

答案 (The Answer)

SuperUser contributors Flyk and Andrew Medico have the answer for us. First up, Flyk:

超级用户贡献者Flyk和Andrew Medico为我们找到了答案。 首先，Flyk：

There is no way to determine the Creation Date for a particular Windows service as both the services applet and Windows registry do not store any dates related to creation.

无法确定特定Windows服务的创建日期 ，因为服务小程序和Windows注册表都不存储与创建相关的任何日期。

There is, however, a Last Modified Date that is hidden away from view (even in the Windows registry editor), but it can be accessed using RegQueryInfoKey. Since all Windows services are stored in the registry, you can check the Last Modified Date against the registry keys related to the service in question by looking in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

但是，有一个“ 最后修改日期”隐藏在视图之外(即使在Windows注册表编辑器中)，但可以使用RegQueryInfoKey对其进行访问。 由于所有Windows服务都存储在注册表中，因此可以通过查看HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services来与与该服务相关的注册表项检查上次修改日期 。

Alternatively, if you export the registry keys you want information about as text file, you will see the Last Modified Date for each key is written in the text file.

或者，如果将想要的信息作为注册表文件导出，则将看到每个注册表项的上次修改日期都写在文本文件中。

Finally, a solution using PowerShell to return the Last Modified Date has already been discussed on Stack Overflow.

最后，已经在Stack Overflow上讨论了使用PowerShell返回最后修改日期的解决方案。

Followed by the answer from Andrew Medico:

随后是Andrew Medico的回答：

Starting with Vista, service creation is logged to the System Event Log under Service Control Manager Event ID 7045.

从Vista开始，服务创建将记录到服务控制管理器事件ID 7045下的系统事件日志中 。

For example, the following command:

例如，以下命令：

Produced the following event log entry:

产生了以下事件日志条目：

---

---

Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

有什么补充说明吗？ 在评论中听起来不错。 是否想从其他精通Stack Exchange的用户那里获得更多答案？ 在此处查看完整的讨论线程 。

翻译自: https://www.howtogeek.com/205548/how-do-you-find-the-last-modified-date-for-services-in-windows/