Service module reference
The service module exposes helpers around the Windows Service Control Manager (SCM). Each command is invoked from the mimikatz console as service::<command> [options] and ultimately maps to the functions defined in kuhl_m_service.c and kull_m_service.c.
Note
Unless stated otherwise, every command requires at least one argument: the service name to operate on. The functions simply forward the first argument to the Windows SCM APIs with no additional parsing, so the name must match exactly the registered service identifier rather than the display name.【F:mimikatz/modules/kuhl_m_service.c†L45-L67】【F:modules/kull_m_service.c†L31-L75】
| Command | Description |
|---|---|
service::start |
Start a stopped service. |
service::remove |
Delete a service definition from the SCM database. |
service::stop |
Send a stop control to a running service. |
service::suspend |
Pause a service that supports the pause/continue contract. |
service::resume |
Resume a paused service. |
service::preshutdown |
Issue the preshutdown notification so the service can clean up before shutdown. |
service::shutdown |
Issue a shutdown control for services that register for it. |
service::list |
Reserved for enumerating services (currently a stub). |
service::+ |
Register mimikatz itself as a service and launch it. |
service::- |
Stop and remove the mimikatz service. |
service::me |
Run mimikatz in service mode via StartServiceCtrlDispatcher. |
The sections below document each command, the parameters they accept, and when to use them.
service::startservice::start <ServiceName>service::start simply calls StartService with zero arguments through kull_m_service_start. Use it to transition a stopped service into the running state when you possess SERVICE_START rights on the target service.【F:mimikatz/modules/kuhl_m_service.c†L69-L72】【F:modules/kull_m_service.c†L26-L41】 Starting a service is often the first step after registering it or after modifying its configuration.
service::removeservice::remove <ServiceName>service::remove wraps DeleteService to erase the service definition from the SCM database.【F:mimikatz/modules/kuhl_m_service.c†L74-L77】【F:modules/kull_m_service.c†L43-L58】 Use this command after you no longer need a service entry, such as cleaning up artifacts left by service::+ or another deployment.
service::stopservice::stop <ServiceName>The stop command uses ControlService with SERVICE_CONTROL_STOP and requests SERVICE_STOP access.【F:mimikatz/modules/kuhl_m_service.c†L79-L82】【F:modules/kull_m_service.c†L60-L81】 In typical builds the first argument (the service name) is the only accepted parameter.
When mimikatz is compiled with SERVICE_INCONTROL (disabled by default in inc/globals.h), providing additional arguments causes the module to inject into services.exe and call the internal ScSendControl routine. This path bypasses standard access checks, which is why it is guarded by a build flag and restricted to Windows 7 or later.【F:mimikatz/modules/kuhl_m_service.c†L45-L62】【F:inc/globals.h†L21-L43】 Use this capability only when you explicitly enable the flag and need to stop a service without owning SERVICE_STOP rights.
service::suspendservice::suspend <ServiceName>SERVICE_INCONTROL support as described for service::stop.Suspends a service by issuing SERVICE_CONTROL_PAUSE and requesting SERVICE_PAUSE_CONTINUE rights.【F:mimikatz/modules/kuhl_m_service.c†L84-L87】【F:modules/kull_m_service.c†L60-L90】 Use it when you need to temporarily pause a service that advertises pause/continue support—for example, to freeze activity while inspecting its state.
service::resumeservice::resume <ServiceName>SERVICE_INCONTROL support as described for service::stop.service::resume issues a SERVICE_CONTROL_CONTINUE control to restart work on a previously paused service.【F:mimikatz/modules/kuhl_m_service.c†L89-L92】【F:modules/kull_m_service.c†L60-L90】 Use it after service::suspend once you are ready for the service to resume processing.
service::preshutdownservice::preshutdown <ServiceName>SERVICE_INCONTROL support as described for service::stop.This command sends SERVICE_CONTROL_PRESHUTDOWN and therefore needs SERVICE_ALL_ACCESS.【F:mimikatz/modules/kuhl_m_service.c†L94-L97】【F:modules/kull_m_service.c†L60-L100】 Use it to give services that registered for preshutdown notifications more time to clean up before the system shuts down.
service::shutdownservice::shutdown <ServiceName>SERVICE_INCONTROL support as described for service::stop.service::shutdown maps to SERVICE_CONTROL_SHUTDOWN and also requires full service access.【F:mimikatz/modules/kuhl_m_service.c†L99-L102】【F:modules/kull_m_service.c†L60-L101】 Trigger it for services that need to be informed of a system shutdown event without stopping the entire machine yourself.
service::listservice::listservice::list is currently a stub that immediately returns success without enumerating services.【F:mimikatz/modules/kuhl_m_service.c†L104-L107】 Treat it as a placeholder for future development.
service::+service::+service::+ (also exposed as service::installme) registers the current mimikatz binary as a Windows service named mimikatzsvc, sets it to auto-start, grants “Everyone” broad control rights, and immediately starts it.【F:mimikatz/modules/kuhl_m_service.c†L109-L145】【F:modules/kull_m_service.c†L103-L200】 Use this when you want persistent or repeated service-based execution of mimikatz—for example, before enabling service::me on the next boot.
service::-service::-The uninstall helper first attempts to stop mimikatzsvc (ignoring the “service not running” error) and then deletes the service entry.【F:mimikatz/modules/kuhl_m_service.c†L141-L145】【F:modules/kull_m_service.c†L183-L203】 Run it to cleanly remove the service created by service::+ and avoid leaving traces.
service::meservice::meservice::me registers a service control handler, transitions mimikatz into the running state, and waits on an event handle until the service is stopped.【F:mimikatz/modules/kuhl_m_service.c†L147-L199】 Use this command only after service::+ has registered the service entry; it hands control back to the Service Control Manager so mimikatz behaves like a legitimate service until the stop signal arrives.
When running in service mode, mimikatz handles pause, continue, stop, and shutdown controls to maintain accurate status reporting and to exit cleanly once a stop or shutdown occurs.【F:mimikatz/modules/kuhl_m_service.c†L158-L199】 Understanding this flow is important if you plan to customize the service behavior or extend the module.