diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md
index 65edaacb..7bad1883 100644
--- a/atomics/T1489/T1489.md
+++ b/atomics/T1489/T1489.md
@@ -32,6 +32,10 @@ sc.exe stop #{service_name}
 ```
 
 
+#### Cleanup Commands:
+```
+sc.exe start #{service_name}
+```
 
 <br/>
 <br/>
@@ -53,6 +57,10 @@ net.exe stop #{service_name}
 ```
 
 
+#### Cleanup Commands:
+```
+net.exe start #{service_name}
+```
 
 <br/>
 <br/>
@@ -67,7 +75,7 @@ This technique was used by WannaCry.
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| process_name | Name of a process to kill | String | sqlwriter.exe|
+| process_name | Name of a process to kill | String | spoolsv.exe|
 
 #### Run it with `command_prompt`! 
 ```
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 829c5021..a1c16a0f 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -14026,6 +14026,9 @@ impact:
         elevation_required: true
         command: 'sc.exe stop #{service_name}
 
+'
+        cleanup_command: 'sc.exe start #{service_name}
+
 '
     - name: Windows - Stop service using net.exe
       description: 'Stops a specified service using the net.exe command.
@@ -14043,6 +14046,9 @@ impact:
         elevation_required: true
         command: 'net.exe stop #{service_name}
 
+'
+        cleanup_command: 'net.exe start #{service_name}
+
 '
     - name: Windows - Stop service by killing process
       description: "Stops a specified service killng the service's process. \nThis
@@ -14053,7 +14059,7 @@ impact:
         process_name:
           description: Name of a process to kill
           type: String
-          default: sqlwriter.exe
+          default: spoolsv.exe
       executor:
         name: command_prompt
         elevation_required: false