Forum Discussion

MarkKrautler's avatar
MarkKrautler
Copper Contributor
Oct 04, 2023

Powershell to export list of all services not running as SYSTEM account on all domain computers

I need to see if there are any services running as service accounts and wanted to query all our domain computers to get the service name, what state is it in (Running/Disabled/Stopped), the server it...
Service Bus
Windows Server
LeonPavesic's avatar
LeonPavesic
Silver Contributor
Oct 04, 2023

Hi MarkKrautler,

to export a list of all services not running as the SYSTEM account on all domain computers you can try to use this PowerShell Skript:

 

 

# Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Citrix,OU=HCAA,DC=PACs,DC=local"

# Create a new CSV file
$CSVFile = "c:\temp\services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,ServiceName,ServiceDisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
    Invoke-Command -ComputerName $Computer -ScriptBlock {
        Get-Service -Filter "StartName != 'LocalSystem' AND NOT StartName LIKE 'NT Authority%' "
    } | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
}

 

To use the script, simply save it as a PowerShell script file (.ps1) and run it. The script should create a CSV file called services_not_running_as_system.csv in the c:\temp directory.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

MarkKrautler's avatar
MarkKrautler
Copper Contributor
Oct 04, 2023
When I run that script I get the following results saying the computer names are not valid & to use a -ConnectionUri parameter? I'm not sure what that means, TBH.

PS C:\Temp\MKrautler> # Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "DC=PARCS,DC=local"

# Create a new CSV file
$CSVFile = "c:\Temp\PARCS-services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,ServiceName,ServiceDisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
Invoke-Command -ComputerName $Computer -ScriptBlock {
Get-Service -Filter "StartName != 'LocalSystem' AND NOT StartName LIKE 'NT Authority%' "
} | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
}


Directory: C:\Temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/4/2023 3:50 PM 0 PARCS-services_not_running_as_system.csv
Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Oct 05, 2023

    MarkKrautler 

     

    Change line 13 from:

     

     Invoke-Command -ComputerName $Computer -ScriptBlock {

     

    To:

     

     Invoke-Command -ComputerName ($Computer.Name) -ScriptBlock {

     

    Cheers,

    Lain

    • randriksen_'s avatar
      randriksen_
      Brass Contributor
      Oct 05, 2023

       

      MarkKrautler 

       

      'Get-Service' doesn't contain the service user, you need to use 'Get-CIMInstance -Class Win32_Service'

      https://www.commandline.ninja/use-powershell-to-find-windows-svcs-configured-to-run-as-another-user/

       

      Try this modified version of LeonPavesic's script 

       

       

      # Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Citrix,OU=HCAA,DC=PACs,DC=local"

# Create a new CSV file
$CSVFile = "c:\temp\services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,Name,DisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
    try {
        Invoke-Command -ComputerName ($Computer.name) -ScriptBlock {
            Get-CIMInstance -Class Win32_Service | where-object StartName -notlike 'LocalSystem' | where-object StartName -notlike 'NT Authority%' 
        } | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
    } catch {
        Write-Host "Error connecting to $($Computer.name)" -ForegroundColor Red
    }
}

       

       

      -Ole

Resources