none
Is Get-Service subject to permissions per Service? RRS feed

  • Question

  • All,

    I am running two commands using get service, accross the netwrok to the same host.  The only difference is that they query different services, wuauserv which reports fine, and CcmExec which reports as not existing.  I've tried this on a number of hosts and have seen the behaviour on a lot of them, but not all.  Can anyone explain why Get-Service would only work on a subset of Services on the same box using the same credentials? Othere services are falsly being reported as well.

    I have pasted examples of Get-Service lines and output below.

    PS C:\WINDOWS\system32> Get-Service -name wuauserv -computer TestServer

    Status Name DisplayName

    Running wuauserv Automatic Updates ___________________________________________________________________________________________________________

    PS C:\WINDOWS\system32> Get-Service -name CcmExec -computer TestServer

    Get-Service : Cannot find any service with service name 'CcmExec'. At line:1 char:12 + Get-Service <<<< -name CcmExec -computer TestServer + CategoryInfo : ObjectNotFound: (CcmExec:String) [Get-Service], ServiceCommandException + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand


    Brad
    Monday, October 17, 2011 12:58 PM

Answers

  •  

    Is Get-Service subject to permissions per Service?

    yes, it is.

     

    each service has its own ACL controlled by  ServiceControlManager(SCM)

    SMSAgent (CCMexec) is more secured than Windows Update

    Monday, October 17, 2011 9:38 PM
  •  Any idea how to enable the security tab on Services?
    see the link above, it is standalone utility.
    Any idea what Get-Service does differently?

    Get-Service calls SCM directly through RPC while GWMI calls SCM indirectly first calling wmi through RPC which calls SCM.

    See, when you call Gwmi there is at least one additional ACL check: remote WMI + access to SCM(ye, SCM also has its own ACL)+ access to Service. 

     

     

    • Marked as answer by BDS74 Tuesday, October 18, 2011 11:54 AM
    Tuesday, October 18, 2011 10:54 AM

All replies

  • All,

    I am running two commands using get service, accross the netwrok to the same host.  The only difference is that they query different services, wuauserv which reports fine, and CcmExec which reports as not existing.  I've tried this on a number of hosts and have seen the behaviour on a lot of them, but not all.  Can anyone explain why Get-Service would only work on a subset of Services on the same box using the same credentials? Othere services are falsly being reported as well.

    I have pasted examples of Get-Service lines and output below.

    PS C:\WINDOWS\system32> Get-Service -name wuauserv -computer TestServer

    Status Name DisplayName

    Running wuauserv Automatic Updates ___________________________________________________________________________________________________________

    PS C:\WINDOWS\system32> Get-Service -name CcmExec -computer TestServer

    Get-Service : Cannot find any service with service name 'CcmExec'. At line:1 char:12 + Get-Service <<<< -name CcmExec -computer TestServer + CategoryInfo : ObjectNotFound: (CcmExec:String) [Get-Service], ServiceCommandException + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand


    Brad

    Are you sure you are using the correct name?

     

    See what happens when you use wmi:

     

     gwmi win32_service -filter "name LIKe 'CcmExec'"
    

    Monday, October 17, 2011 3:32 PM
  • Yep, double and triple checked it.  It also works for a large section of around 500 servers in my list, only 200 or so are not working and I have manually checked at least 20 of them and can 100% verify the services are there and running.  I tried the command you gave me (thanks btw, will be helpful for other things too) and the strange thing is that GWMI results in Access Denied, but Get-Service (for the same service) doesn't.  This would be fine except this happens for the Windows Update service (wuauserv).  So now I have two questions: 

    1) Is there differences per service (such as ACLs) that would provide Get_Service with varying results

    2) Is there a difference in the permissions required to execute remote Get-Service and remote GWMI?

     

    I cut and paste some results below.

     

    PS X:\Siemens Documents\DMZDCM> gwmi win32_service -filter "name LIKe 'CcmExec'" -computername TestServer

    Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    At line:1 char:5
    + gwmi <<<<  win32_service -filter "name LIKe 'CcmExec'" -computername TestServer
        + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCo
       mmand
     

    ___________________________________________________________________________________________________________
    PS X:\Siemens Documents\DMZDCM> gwmi win32_service -filter "name LIKe 'wuauserv'" -computername TestServer

    Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    At line:1 char:5
    + gwmi <<<<  win32_service -filter "name LIKe 'wuauserv'" -computername TestServer
        + CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCo
       mmand
     

    ___________________________________________________________________________________________________________
    PS X:\Siemens Documents\DMZDCM> Get-Service -name "wuauserv" -computername TestServer

    Status   Name               DisplayName                          
    ------   ----               -----------                          
    Running  wuauserv           Automatic Updates                    

     


    Brad
    Monday, October 17, 2011 4:03 PM
  • Hi,

    Probably you haven't permission on this machine to manage via WMI. WMI works on different protocols than get-service.

    For example for my local user:

    PS C:\Users\mg> gwmi win32_service -filter "name LIKe 'wuauserv'" -computername myServer
    Get-WmiObject : Access denied
    At line:1 char:5
    + gwmi <<<<  win32_service -filter "name LIKe 'wuauserv'" -computername myServer
        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
    
    PS C:\Users\mg> Get-Service -Name "wuauserv" -ComputerName myServer
    
    Status   Name               DisplayName
    ------   ----               -----------
    Running  wuauserv           Windows Update
    
    


    but with domain admin rights:

    PS C:\Users\mg>  gwmi win32_service -filter "name LIKe 'wuauserv'" -computername myServer
    
    
    ExitCode  : 0
    Name      : wuauserv
    ProcessId : 1004
    StartMode : Auto
    State     : Running
    Status    : OK
    
    

    Monday, October 17, 2011 4:58 PM
  •  

    Is Get-Service subject to permissions per Service?

    yes, it is.

     

    each service has its own ACL controlled by  ServiceControlManager(SCM)

    SMSAgent (CCMexec) is more secured than Windows Update

    Monday, October 17, 2011 9:38 PM
  • here is a link to "Service Administrator"

    http://www.rsdn.ru/article/baseserv/svcadmin-2/svcadmin.zip

    Monday, October 17, 2011 9:48 PM
  • That explains it.  For some reason I don't have a security Tab.  I checked the registry for them and can see the security there which matches what your screen shots show.  Any idea how to enable the security tab on Services?
    Brad
    Tuesday, October 18, 2011 10:33 AM
  • That's IS interesting.  I guess the bets approach then is to use Get-Service as it is more likely to work.  Any idea what Get-Service does differently?
    Brad
    Tuesday, October 18, 2011 10:34 AM
  •  Any idea how to enable the security tab on Services?
    see the link above, it is standalone utility.
    Any idea what Get-Service does differently?

    Get-Service calls SCM directly through RPC while GWMI calls SCM indirectly first calling wmi through RPC which calls SCM.

    See, when you call Gwmi there is at least one additional ACL check: remote WMI + access to SCM(ye, SCM also has its own ACL)+ access to Service. 

     

     

    • Marked as answer by BDS74 Tuesday, October 18, 2011 11:54 AM
    Tuesday, October 18, 2011 10:54 AM
  • 1) That tool is really really useful. Seriously, thanks for sharing it.

    2) So Get-Service is a better way to get access to SCM; it seems it requires less permission and is probably quicker (I'm scanning 1000's of boxes after all).

    One Get-Service problem is that I don't know a way of determining if a service exists, but I don't have access, or if it doesn't exist at all. I understand why I can't query CcmExec now, as I don't have permissions to it, is there a way to trap "No Permissions" errors versus "Doesn't exist" errors using Get-Service?  Example output below, with fictional service name used in the 2nd example.

    PS C:\WINDOWS\system32> Get-Service -name CcmExec -computer TestServer
    Get-Service : Cannot find any service with service name 'CcmExec'.
    At line:1 char:12
    + Get-Service <<<<  -name CcmExec -computer TestServer
        + CategoryInfo          : ObjectNotFound: (CcmExec:String) [Get-Service], ServiceCommandException
        + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

     

    PS C:\WINDOWS\system32> Get-Service -name NoSuchService -computer TestServer
    Get-Service : Cannot find any service with service name 'NoSuchService'.
    At line:1 char:12
    + Get-Service <<<<  -name NoSuchService -computer TestServer
        + CategoryInfo          : ObjectNotFound: (NoSuchService:String) [Get-Service], ServiceCommandException
        + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand



    Brad
    • Edited by BDS74 Tuesday, October 18, 2011 1:42 PM
    Tuesday, October 18, 2011 12:05 PM
  • this is Cmdlet limitation. try to use .net class directly.

     

    new-object System.ServiceProcess.ServiceController('CcmExec','RemoteComputer')
    


    output:

    PS C:\> new-object System.ServiceProcess.ServiceController('CcmExec','RemoteHost')
    
    Status   Name               DisplayName
    ------   ----               -----------
             CcmExec            SMS Agent Host
    
    
    PS C:\> new-object System.ServiceProcess.ServiceController('NoSuchSersvice','RemoteHost')
    
    Status   Name               DisplayName
    ------   ----               -----------
    
    
    
    PS C:\>

    see here for more examples

    http://thepowershellguy.com/blogs/posh/archive/2007/01/03/powershell-using-net-to-manage-remote-services.aspx

    Tuesday, October 18, 2011 1:24 PM