Why Are All These Services Starting?
Summary: Microsoft Scripting Guy, Ed Wilson, talks about using WMI to find out how services start.
Hey, Scripting Guy! I was looking at the processes on my workstation, and I see lots of things running. I suspect many of these are actually services. But I am wondering how I can use Windows PowerShell to find services that start automatically. For example, the great cmdlet Get-Service does not display this information. Any thoughts?
Microsoft Scripting Guy, Ed Wilson, is here. Yes, I have some thoughts. My main thought is that tomorrow begins the weekend in Charlotte, North Carolina. I am wondering, “What I will do?” I know I will spend some time working on my book, and maybe spend some time in the gym. I am also thinking that I also want to re-read the Dupin stories by Poe. As you may know, Poe is widely credited with writing the first detective mysteries. So it is always a great idea to go back to the beginnings…
WMI to the rescue
Speaking of going back to the beginnings…
You are absolutely right. The Get-Service cmdlet, although easy to use and providing a great deal of information, does not display a service start mode. Here is a quick peak at that:
To obtain service start mode information, we need to go old school and use the Win32_Serivce WMI class. This class has been around for a long time and it continues to work wonderfully well. It is well documented on MSDN: Win32_Service class. By using the Get-CimInstance cmdlet, all I need to do is query it. Here is the command:
The command and its associated output are shown here:
Because the Get-CimInstance cmdlet displays the StartMode by default in the output, technically I am done with your request. However, you probably want to sort these. That is easy to do. I pipe the output to Sort-Object and specify StartMode. Here is the command:
Get-CimInstance Win32_Service |
The following output shows that, by default, it starts with Auto (but I could change that by specifying Descending:
I may decide that I simply want numbers. I can get this type of overview by piping to Group-Object. Here is the command:
Get-CimInstance Win32_Service |
Sort-Object StartMode |
Group-Object StartMode -NoElement
The output is really nice. It is shown here:
By the way…if you decide to begin monkeying around with service start modes, you have a couple of things you can do. One, you can write a script and use the ChangeStartMode method. If you do this, at least you will have documentation for what you did, and you can run another script to change things back if it doesn’t work out. The ChangeStartMode method is also documented on MSDN: ChangeStartMode method of the Win32_Service class.
Another good thing to do is to use the CheckPoint-Computer cmdlet before you begin messing around with services. This way, if you need to restore, you can use the Restore-Computer cmdlet to fall back. If you do these things immediately before and after changes, there is a good chance that no major lasting issues will arise.
TL, that is all there is to using WMI to find out how services start. WMI Week will continue tomorrow when I will talk about more way cool stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at email@example.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy