Skip to main content
The Scm tool connects to the Service Control Manager on a remote Windows system and lets you query service status, inspect service triggers, create new services, start and stop services, and delete services.

Subcommands

CommandDescription
queryQuery the status of services
qtriggersQuery the triggers configured for a service
createCreate and optionally start a new service
startStart a service
stopStop a service
deleteDelete a service
For help on any subcommand, run Scm <subcommand> -h.

Common options

All Scm subcommands share these authentication and connection options:
-UserName (-u)
UserPrincipalName
User name to authenticate with (not including the domain).
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password to authenticate with.
-NtlmHash
hexadecimal hash
NTLM hash for pass-the-hash authentication.
-Anonymous
boolean
Use anonymous login.
-Kdc (-K)
host:port
KDC endpoint. Required to enable Kerberos.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-TicketCache
string
Ticket cache file.
-AesKey
HexString
AES-128 or AES-256 Kerberos key.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-UseTcp4Only (-4)
boolean
Use TCP over IPv4 only.
-UseTcp6Only (-6)
boolean
Use TCP over IPv6 only.
-EncryptRpc
boolean
Encrypt RPC messages.
-PreferSmb
boolean
Connect over a named pipe instead of TCP when supported.
-Socks5
host:port
SOCKS5 proxy endpoint.

query

Queries the status of services on a remote system. Returns all services by default; filter by type or state to narrow results. 
Scm query [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-Types
ServiceTypes[]
Filter by service type. Possible values: None, KernelDriver, FileSystemDriver, OwnProcess, SharedProcess, All.
-States
ServiceStates[]
Filter by service state. Possible values: None, Active, Inactive, All.
-OutputFields
string[]
Fields to display. Available: ServiceName, DisplayName, ServiceType, State, Win32ExitCode, SpecificExitCode.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

Examples

# Query all services
Scm query LUMON-DC1 -UserName milchick -Password Br3@kr00m!

# Query only running services
Scm query LUMON-DC1 -UserName milchick -Password Br3@kr00m! -States Active

# Query only kernel drivers
Scm query LUMON-DC1 -UserName milchick -Password Br3@kr00m! -Types KernelDriver

qtriggers

Queries the triggers configured to automatically start or stop a service. 
Scm qtriggers [options] <ServerName> <ServiceName>
ServerName
string
required
RPC server to interact with.
ServiceName
string[]
required
Name(s) of services to query. Use * to query all services.
-OutputFields
string[]
Fields to display. Available: ServiceName, TriggerType, TriggerTypeDescription, Action, Data0.

create

Creates a new service on a remote system and optionally starts it immediately. By default the service runs as LocalSystem and starts on demand (Demand start type). 
Scm create [options] <ServerName> <ServiceName> [<BinPath>]
ServerName
string
required
RPC server to interact with.
ServiceName
string
required
Internal name of the service to create.
BinPath
string
Command line for the service executable.
-DisplayName
string
Human-readable display name for the service.
-ServiceType
ServiceTypes
default:"OwnProcess"
Type of service. Possible values: None, KernelDriver, FileSystemDriver, OwnProcess, SharedProcess, All.
-StartType
ServiceStartType
default:"Demand"
Start type. Possible values: Boot, System, Auto, Demand, Disabled.
-ErrorControl
ServiceErrorControl
default:"Normal"
Error control. Possible values: Ignore, Normal, Severe, Critical.
-StartName
string
default:"LocalSystem"
Account to run the service as.
-StartPassword
string
Password of the service account.
-Dependencies (-deps)
string[]
List of services this service depends on.
-LoadOrderGroup
string
Load order group.
-Start
boolean
Start the service immediately after creating it.

Examples

# Create and start a service
Scm create LUMON-DC1 -UserName milchick -Password Br3@kr00m! -EncryptRpc myservice -DisplayName "My Service" C:\\windows\\system32\\cmd.exe -Start

start

Starts a service on a remote system. Optionally pass arguments to the service. 
Scm start [options] <ServerName> <ServiceName> [<ServiceArgs>]
ServerName
string
required
RPC server to interact with.
ServiceName
string
required
Name of the service to start.
ServiceArgs
string[]
Optional arguments to pass to the service.

Examples

# Start a service
Scm start LUMON-DC1 -UserName milchick -Password Br3@kr00m! -EncryptRpc myservice

# Start a service with arguments
Scm start LUMON-DC1 -UserName milchick -Password Br3@kr00m! -EncryptRpc myservice arg1 arg2 arg3

stop

Stops a running service on a remote system. 
Scm stop [options] <ServerName> <ServiceName>
ServerName
string
required
RPC server to interact with.
ServiceName
string
required
Name of the service to stop.

Examples

Scm stop LUMON-DC1 -UserName milchick -Password Br3@kr00m! -EncryptRpc myservice

delete

Deletes a service from a remote system. 
Scm delete [options] <ServerName> <ServiceName>
ServerName
string
required
RPC server to interact with.
ServiceName
string
required
Name of the service to delete.

Examples

Scm delete LUMON-DC1 -UserName milchick -Password Br3@kr00m! -EncryptRpc myservice
  • Wmi — execute commands and invoke methods remotely via WMI
  • Epm — enumerate dynamic RPC endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us