none
I need a script to discover if any services use a local admin account.

    Question

  • I need a script to discover if any services use a particular username.  I would like help with a script to scan systems read from a text list, for services running as the local administrator account.
    Wednesday, March 17, 2010 2:31 PM

Answers

  • I modified the script some, but the main part is I left of the -computerName in the WMI query.

    ######################################################
    # Script Name: get-serviceuser.ps1
    # Written By: Matt Johnson - matt@michiganpowershell.com
    # Revision Date: 3/17/2010
    # Version: 2.0
    # Version History:
    #  - 1.0: Initial Script
    #  - 2.0: Enables use of | Out-File
    # Description: This script gets a list of services that
    #                are running as a particular user from
    #                a text file.
    # Command Line: ./get-serviceuser
    # Example: ./get-serviceuser -userAccount 'LocalSystem'
    #                 -filePath "c:\fso\data\servers.txt"
    ######################################################
    param (
        [string]$userAccount = "LocalSystem",
        [string]$filePath = "c:\fso\data\servers.txt"
    )

    # Get content of text file.
    $servers = Get-Content -path $filePath

    # Loop through each line of the text file.
    foreach ($server in $servers)
    {
        " "
        "Services running as $userAccount on $server"
        "-------------------------------------------"
        # Get Win32_Service WMI Class
        $services = Get-WmiObject -class Win32_Service -ErrorAction SilentlyContinue `
              -computerName $server
        # Check to see if anthing is returned.
        if (-not $services)
        {
            # Write error message
            "Cannot connect to $computer"
        } else
        {
            # Loop through each service and display the name.
            foreach ($service in $services)
            {
                $service | where {$_.StartName -like $userAccount} | Select DisplayName
            }
        }
    }
    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 4:32 PM
    Moderator

All replies

  • What language are you looking for?

    Matt Johnson
    Wednesday, March 17, 2010 3:00 PM
    Moderator
  • i don't have a preference. 
    Wednesday, March 17, 2010 3:09 PM
  • The script below is written in PowerShell and displays output to the screen. If you want it to save to a file, let me know and I will modify the script.

    ######################################################
    # Script Name: get-serviceuser.ps1
    # Written By: Matt Johnson - SE Michigan PowerShell Script Club
    # Revision Date: 3/17/2010
    # Version: 1.0
    # Version History:
    #  - 1.0: Initial Script
    # Description: This script gets a list of services that are running
    #                    as a particular user from a text file.
    # Command Line: ./get-serviceuser
    # Example: ./get-serviceuser -userAccount "LocalSystem" -filePath "c:\fso\data\servers.txt"
    ######################################################
    param (
        [string]$userAccount = "LocalSystem",
        [string]$filePath = "c:\fso\data\servers.txt"
    )

    # Get content of text file.
    $servers = Get-Content -path $filePath

    # Loop through each line of the text file.
    foreach ($server in $servers)
    {
        Write-Host "Services running as $userAccount on $server"
        Write-Host "-------------------------------------------"
        # Get Win32_Service WMI Class
        $services = Get-WmiObject -class Win32_Service -ErrorAction `
            SilentlyContinue | where {$_.StartName -eq $userAccount}
        # Check to see if anthing is returned.
        if (-not $services)
        {
            # Write error message
            Write-Host -object "Cannot connect to $computer" `
                -foregroundcolor Red
        } else
        {
            # Loop through each service and display the name.
            foreach ($service in $services)
            {
                Write-Host $service.DisplayName
            }
            Write-Host
        }
    }

    # Remove variables
    Remove-Variable -name userAccount
    Remove-Variable -name filePath
    Remove-Variable -name servers
    Remove-Variable -name server
    Remove-Variable -name services
    Remove-Variable -name service

    Matt Johnson, GSEC, MCSE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 3:16 PM
    Moderator
  • This is great!  However I do think it would be helpful to have the information dumped to a file.
    Wednesday, March 17, 2010 3:24 PM
  • I will work on that for you and post it in a little while.

    Matt Johnson, GSEC, MCSE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 3:25 PM
    Moderator
  • Use the following script now. If you want to display to screen just run it like before. If you want to output to a file pipe the script to Out-File.

    ######################################################
    # Script Name: get-serviceuser.ps1
    # Written By: Matt Johnson - matt@michiganpowershell.com
    # Revision Date: 3/17/2010
    # Version: 2.0
    # Version History:
    #  - 1.0: Initial Script
    #  - 2.0: Enables use of | Out-File
    # Description: This script gets a list of services that
    #                are running as a particular user from
    #                a text file.
    # Command Line: ./get-serviceuser
    # Example: ./get-serviceuser -userAccount "LocalSystem"
    #                 -filePath "c:\fso\data\servers.txt"
    ######################################################
    param (
        [string]$userAccount = "LocalSystem",
        [string]$filePath = "c:\fso\data\servers.txt"
    )

    # Get content of text file.
    $servers = Get-Content -path $filePath

    # Loop through each line of the text file.
    foreach ($server in $servers)
    {
        "Services running as $userAccount on $server"
        "-------------------------------------------"
        # Get Win32_Service WMI Class
        $services = Get-WmiObject -class Win32_Service -ErrorAction `
            SilentlyContinue | where {$_.StartName -eq $userAccount}
        # Check to see if anthing is returned.
        if (-not $services)
        {
            # Write error message
            "Cannot connect to $computer" `
        } else
        {
            # Loop through each service and display the name.
            foreach ($service in $services)
            {
                $service.DisplayName
            }
        }
    }
    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 3:35 PM
    Moderator
  • while testing the script it appears not to work.

    I ran the script against a server that I know for sure there is a services running with .\administrator .  The script returned a false negative.
    Wednesday, March 17, 2010 3:44 PM
  • Use following:
    Get-WmiObject -Computer <server> -Class Win32_Service | Select Name, StartName

    Here you can see which value does script from MWJConsulting require as username. don't forget to replace <server> with your server name ;)

    Martin
    Wednesday, March 17, 2010 3:49 PM
  • Try replacing the following line with the one below it.

    $services = Get-WmiObject -class Win32_Service -ErrorAction `
            SilentlyContinue | where {$_.StartName -eq $userAccount}



    $services = Get-WmiObject -class Win32_Service -ErrorAction `
            SilentlyContinue | where {$_.StartName -like $userAccount}

    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 3:53 PM
    Moderator
  • Could it be failing the systems in question is 64 bit?  If so how should the code look to support both x86 and 64 bit?

    Wednesday, March 17, 2010 4:00 PM
  • Can I see what the line is that you use when you run it at the prompt?

    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 4:03 PM
    Moderator
  • Nope... My guess is that you don't have right username - %ComputerName%\Administrator etc, that's why you should first check which value you need to specify (see my post above).

    Martin
    Wednesday, March 17, 2010 4:04 PM
  • I am executing the script via Powershell ISE
    Wednesday, March 17, 2010 4:08 PM
  • I am also specifying the username as ".\administrator"
    Wednesday, March 17, 2010 4:09 PM
  • Try single quotes around .\administrator

    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 4:11 PM
    Moderator
  • single quotes don't work either.
    Wednesday, March 17, 2010 4:15 PM
  • It might be the ISE. Run it at the Console.

    If I run the following it works on my network.

    ./get-serviceuser.ps1 -userAccount '.\Administrator'

    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 4:24 PM
    Moderator
  • I modified the script some, but the main part is I left of the -computerName in the WMI query.

    ######################################################
    # Script Name: get-serviceuser.ps1
    # Written By: Matt Johnson - matt@michiganpowershell.com
    # Revision Date: 3/17/2010
    # Version: 2.0
    # Version History:
    #  - 1.0: Initial Script
    #  - 2.0: Enables use of | Out-File
    # Description: This script gets a list of services that
    #                are running as a particular user from
    #                a text file.
    # Command Line: ./get-serviceuser
    # Example: ./get-serviceuser -userAccount 'LocalSystem'
    #                 -filePath "c:\fso\data\servers.txt"
    ######################################################
    param (
        [string]$userAccount = "LocalSystem",
        [string]$filePath = "c:\fso\data\servers.txt"
    )

    # Get content of text file.
    $servers = Get-Content -path $filePath

    # Loop through each line of the text file.
    foreach ($server in $servers)
    {
        " "
        "Services running as $userAccount on $server"
        "-------------------------------------------"
        # Get Win32_Service WMI Class
        $services = Get-WmiObject -class Win32_Service -ErrorAction SilentlyContinue `
              -computerName $server
        # Check to see if anthing is returned.
        if (-not $services)
        {
            # Write error message
            "Cannot connect to $computer"
        } else
        {
            # Loop through each service and display the name.
            foreach ($service in $services)
            {
                $service | where {$_.StartName -like $userAccount} | Select DisplayName
            }
        }
    }
    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 4:32 PM
    Moderator
  • I don't understand where the code is sending the results
    Wednesday, March 17, 2010 4:57 PM
  • If you run it without piping the script to Out-File it will display to screen.

    If you use the following command it will run it and save it as a text file.

    ./get-serviceuser | Out-File -filePath 'c:\services.txt'
    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 4:59 PM
    Moderator
  • Thank you for your help!!
    it seems to be working. Now I have to work through some access issues.
    Wednesday, March 17, 2010 5:18 PM
  • Can you make it as correct so that it can be closed?

    Matt Johnson, GSEC, MCSE SE Michigan PowerShell Script Club http://www.michiganpowershell.com/
    Wednesday, March 17, 2010 5:31 PM
    Moderator
  • Matt,

    thanks for the script above. I have no experience of Powershell or scripting and I have used the script above to identify services running on servers as domain administrator. For me this is brilliant!!!!!!!!!!!!!!!!!!!!


    SK

    • Proposed as answer by seankil Tuesday, February 28, 2012 10:42 AM
    Tuesday, February 28, 2012 10:42 AM