> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/enumeration-and-discovery/enumerating-users-without-net-services-without-sc-and-scheduled-tasks-without-schtasks.md).

# Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks

It is possible to use MMC snap-ins to enumerate local users and local groups, services, scheduled tasks, SMB shares and sessions on a system if you have an interactive desktop session on the compromised system either via RDP or if you are simulating an insider threat during a pentest and you are given a company's laptop.

## Why would you do it?

The use of well known lolbins like net, sc and schtasks on a host where an EDR solution is running is risky and may get you caught. Using snap-ins may help evade commandline detections SOC may be relying on.&#x20;

Of course, marketing department is unlikely to run mmc snap-ins either, so beware :)

## Enumerating Users and Local Groups

Launch mmc.exe, click File > Add\remove snap-in > Local users and Groups:

![](/files/-Lf1Op9_0cnfJxnro7x5)

## Enumerating Services

Same could be done for enumerating services running on the system:

![](/files/-Lf1QnvmvBwseLc7yPwH)

Note that `services.msc` could give you the same view.

## Enumerating Scheduled Tasks

![](/files/-Lf1R9I_NshCEr5P11Ae)

Persistence anyone? Note that `taskschd.msc` could give you the same view:

![](/files/-Lf1dOpeQPouvStO9hpN)

## Shares and Sessions

![](/files/-Lf1ghA2LFoTaIrnlwAJ)
