The Scripting Wife Uses PowerShell to Find Service Accounts

The Scripting Wife Uses PowerShell to Find Service Accounts

  • Comments 11
  • Likes

Summary: The Scripting Wife interrupts Brahms to learn how to use Windows PowerShell to find service accounts and service start modes.

Microsoft Scripting Guy, Ed Wilson, is here. One of life’s real pleasures is sitting around a fireplace, listening to a Brahms concerto, and sipping a cup of chamomile tea. I like to add a bit of local honey, and drop in a cinnamon stick. So here I am…mellow and as relaxed as a cat lying in a bay window on a warm summer afternoon. The Charlotte SQL User Group meeting tonight will be awesome. We have not seen Chris Skorlinski (the speaker) since the Raleigh SQL Saturday, so we are excited to go. The Scripting Wife and I will have a great time, and it is nice chance to see some friends we have not seen for a while.

Anyway, now it is time for a warm fire, a little Brahms, and a cup of warm (but not boiling) tea. About to nod off, I was suddenly startled back into reality as the overhead light suddenly switched on.

“How can you see in here in the dark,” the Scripting Wife exclaimed.

“There was nothing to see—I was listening to Brahms,” I began.

“You need to turn that racket down. The neighbor’s dog is beginning to howl. I think he prefers Trace Adkins to that classical stuff anyway,” she continued, “As long as you are awake, I have a problem with a Windows PowerShell command.”

“I see. I think it is you who likes Trace Adkins.”

“Yep, but don’t sidetrack me with talk about Trace Adkins, I need to be prepared for the 2012 Scripting Games so I do not embarrass you or me. Now back to what I came to ask you. I am trying to figure out what account a service uses to start, and I don’t see it. “

“And…”

“And nothing. I type Get-Service, and I do not see anything about service user accounts.”

“Show me your command,” I wearily asked.

“It is right here. Nothing hard…see?”

She plopped down beside me on the sofa and showed me her laptop. She had typed the single command shown here.

Get-Service

The command and the output from the command are shown in the image that follows.

Image of command output

“You know that there is more information don’t you?” I asked.

“Well, duh,” she said. “OK, I will clear the screen and send the output to the Format-List cmdlet.”

Here is what the Scripting Wife did to clear the screen and to obtain all the information available from the Get-Service cmdlet.

  1. She cleared the screen by using the Clear-Host command. But instead of typing Clear-Host, she used the cls shortcut command instead.
  2. Next, she pressed the Up arrow one time to retrieve the previous Get-Service command.
  3. She then typed a space <space> by tapping the Space bar one time, and then she typed a pipe character (the pipe character | is located above the Enter key on my keyboard).
  4. She then typed a space and Format-List * after the pipe character.

The complete command is shown here.

Get-Service | Format-List *

The command and the associated output from the command are shown in the image that follows.

Image of command output

“OK. I am looking at this output, and I still do not see anything about the service account that a service uses to start up,” she complained.

“Well, I did not say it was there, did I? I just asked you if you had looked at all of the information that the Get-Service cmdlet provides,” I stated. “To find the service account start-up information, you need to use WMI. Remember yesterday when we talked about Using PowerShell to Get Hardware Information? You can use the same technique today as you used yesterday.”

The Scripting Wife thought for a few seconds, and then she typed the following command.

Get-WmiObject –list *service*

“Wow, that is a lot of information,” she exclaimed. She turned the laptop monitor so I could look at the display. Indeed, as is shown here, it is a lot of information.

Image of command output

“Use the same technique that you used yesterday to find the WMI class you need to work with services,” I prompted.

Within a few minutes, the Scripting Wife was pointing at Win32_Service.

“Now use the Get-WmiObject cmdlet to query that WMI class,” I said.

It did not take her long to modify her command line to query the Win32_Service WMI class. Here is the command she composed.

Get-WmiObject Win32_Service

The command and the associated results are shown in the image that follows.

Image of command output

“OK, so where are the service accounts?” she asked.

“Remember, you need to use the same technique that you used with the Get-Service cmdlet to retrieve all the information,” I said.

She thought for a bit, then pressed the Up arrow to retrieve the previous command. Then she added a pipeline character and the Format-List cmdlet. The revised command is shown here.

Get-WmiObject win32_service | format-list *

The command and its associated output are shown in the image that follows.

Image of command output

“So where is the service account name?” she asked.

“Look closely at the output. See where it says StartName? That is the service account. See where it says StartMode? That is the way the service starts,” I said, “Why don’t you create a table with just the Name, StartName, and StartMode.”

This time the Scripting Wife did not hesitate. She first cleared the screen, then used the Up arrow to retrieve the previous command. She then edited it by changing it to a Format-Table command. The command that she arrived at is shown here with its associated output.

Image of command output

“That’s cool,” she said.

And with that, she was gone. Just in time for the Andante movement in D-major. Brahms may not have had Windows PowerShell in mind when he wrote, but somehow it seems to fit.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Teresa,

    that's cool :-)

    It looks like you were exercising for the next scripting games 2012sg!

    This will surely be some stuff, we may prepare for!

    I should reread some of the "old" scripts ...

    Klaus (Schulte)

  • I like so much the "pipe" option now in PowerShell ..

  • once you discover the properties you want form the "list" then you can specify the output...

    Get-WmiObject win32_service | Format-List DisplayName,StartName

  • Well, that does EXACTLY what I've spent the last hour and some-odd looking for... a way to enumerate those service accounts so I can then 'grep' for a particular username. Sweet!

  • The command works great. How would I then export the data to a CSV so I can weed out information that I don't need. I'm looking for custom service accounts, not just the built in ones and when I add the | Export-csv c:\temp\test.csv the information comes back with hexidecimal information and not what's output on the screen.

  • Start small and build tall.

    gwmi win32_service |select name, startname|export-csv file.csv -notype

  • Awseome.  Thanks for taking the time to teach us.

  • Thank you so much!  I had no idea how I was going to figure out how to find what service accounts were being used. Not only did you show me how, I learned a bit about scripting too.

  • when I run this script:

    get-wmiobject -query "select name, startname from win32_service where name = 'mssqlserver'" -computername server1, server2 | format-table

    I get too many columns, but when I remove the "Query" I get only the columns I request.

    Any idea how I would do that?

    I just want to around all our servers and list the service account name for our sql services.

  • wow, that is awesome. How would I use the same procedure to find a service account info for SQL service on remote computers?

  • Thanks for this, very helpful... is there anyway to show the status of the service e.g. running, stopped,

    notice that the: "Get-WmiObject Win32_Service | Format-Table name, startname, startmode, status" just shows "ok"