The Scripting Wife Uses PowerShell to Find Service Accounts
Summary: The Scripting Wife interrupts Brahms to learn how to use Windows PowerShell to find service accounts and service start modes.
Microsoft Scripting Guy, Ed Wilson, is here. One of life’s real pleasures is sitting around a fireplace, listening to a Brahms concerto, and sipping a cup of chamomile tea. I like to add a bit of local honey, and drop in a cinnamon stick. So here I am…mellow and as relaxed as a cat lying in a bay window on a warm summer afternoon. The Charlotte SQL User Group meeting tonight will be awesome. We have not seen Chris Skorlinski (the speaker) since the Raleigh SQL Saturday, so we are excited to go. The Scripting Wife and I will have a great time, and it is nice chance to see some friends we have not seen for a while.
Anyway, now it is time for a warm fire, a little Brahms, and a cup of warm (but not boiling) tea. About to nod off, I was suddenly startled back into reality as the overhead light suddenly switched on.
“How can you see in here in the dark,” the Scripting Wife exclaimed.
“There was nothing to see—I was listening to Brahms,” I began.
“You need to turn that racket down. The neighbor’s dog is beginning to howl. I think he prefers Trace Adkins to that classical stuff anyway,” she continued, “As long as you are awake, I have a problem with a Windows PowerShell command.”
“I see. I think it is you who likes Trace Adkins.”
“Yep, but don’t sidetrack me with talk about Trace Adkins, I need to be prepared for the 2012 Scripting Games so I do not embarrass you or me. Now back to what I came to ask you. I am trying to figure out what account a service uses to start, and I don’t see it. “
“And nothing. I type Get-Service, and I do not see anything about service user accounts.”
“Show me your command,” I wearily asked.
“It is right here. Nothing hard…see?”
She plopped down beside me on the sofa and showed me her laptop. She had typed the single command shown here.
The command and the output from the command are shown in the image that follows.
“You know that there is more information don’t you?” I asked.
“Well, duh,” she said. “OK, I will clear the screen and send the output to the Format-List cmdlet.”
Here is what the Scripting Wife did to clear the screen and to obtain all the information available from the Get-Service cmdlet.
- She cleared the screen by using the Clear-Host command. But instead of typing Clear-Host, she used the cls shortcut command instead.
- Next, she pressed the Up arrow one time to retrieve the previous Get-Service command.
- She then typed a space <space> by tapping the Space bar one time, and then she typed a pipe character (the pipe character | is located above the Enter key on my keyboard).
- She then typed a space and Format-List * after the pipe character.
The complete command is shown here.
Get-Service | Format-List *
The command and the associated output from the command are shown in the image that follows.
“OK. I am looking at this output, and I still do not see anything about the service account that a service uses to start up,” she complained.
“Well, I did not say it was there, did I? I just asked you if you had looked at all of the information that the Get-Service cmdlet provides,” I stated. “To find the service account start-up information, you need to use WMI. Remember yesterday when we talked about Using PowerShell to Get Hardware Information? You can use the same technique today as you used yesterday.”
The Scripting Wife thought for a few seconds, and then she typed the following command.
Get-WmiObject –list *service*
“Wow, that is a lot of information,” she exclaimed. She turned the laptop monitor so I could look at the display. Indeed, as is shown here, it is a lot of information.
“Use the same technique that you used yesterday to find the WMI class you need to work with services,” I prompted.
Within a few minutes, the Scripting Wife was pointing at Win32_Service.
“Now use the Get-WmiObject cmdlet to query that WMI class,” I said.
It did not take her long to modify her command line to query the Win32_Service WMI class. Here is the command she composed.
The command and the associated results are shown in the image that follows.
“OK, so where are the service accounts?” she asked.
“Remember, you need to use the same technique that you used with the Get-Service cmdlet to retrieve all the information,” I said.
She thought for a bit, then pressed the Up arrow to retrieve the previous command. Then she added a pipeline character and the Format-List cmdlet. The revised command is shown here.
Get-WmiObject win32_service | format-list *
The command and its associated output are shown in the image that follows.
“So where is the service account name?” she asked.
“Look closely at the output. See where it says StartName? That is the service account. See where it says StartMode? That is the way the service starts,” I said, “Why don’t you create a table with just the Name, StartName, and StartMode.”
This time the Scripting Wife did not hesitate. She first cleared the screen, then used the Up arrow to retrieve the previous command. She then edited it by changing it to a Format-Table command. The command that she arrived at is shown here with its associated output.
“That’s cool,” she said.
And with that, she was gone. Just in time for the Andante movement in D-major. Brahms may not have had Windows PowerShell in mind when he wrote, but somehow it seems to fit.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy