Services and drivers


Malware can add new services or drivers to gain persistence, or modify existing ones to avoid detection.

For example the ZeroAccess rootkit will make the following changes to the Windows Security Service Center (WSCSVC), Windows Defender (WINDEFEND), and Windows Firewall (MPSSVC) services, among others.

  • Set the ‘Start’ value to 4, indicating that the service should be disabled

  • Set the ‘DeleteFlag’ value to 1, indicating that the service should be removed

  • Set the ‘ErrorControl’ value to 0 and ‘Type’ value to 32, causing it to fail to be started by the Service Controller without generating error messages


The services and drivers settings can be found in the Windows Registry key: