Environment
- Audit and Remediation Console: All Versions
- Carbon Black Cloud Sensor: All Supported Versions
- Microsoft Windows: All Supported Versions
Question
Why do queries where user_account is retrieved from the services table return blank values for some Windows services?
Answer
Instances of per-user services are not populated with user account metadata in Windows.
Additional Notes
- This missing metadata can be verified in services.msc by reviewing the impacted service under Properties > Log On > User Account or in regedit.msc by checking for an ObjectName value for the service under Computer\HKLM\SYSTEM\CurrentControlSet\Services.
- Windows assigns unique names to per-user services by adding the logon session LUID as a suffix (e.g. CaptureService_123ab).
Related Content