Powershell to export list of all services not running as SYSTEM account on all domain computers

I need to see if there are any services running as service accounts and wanted to query all our domain computers to get the service name, what state is it in (Running/Disabled/Stopped), the server it...

Service Bus

Windows Server

MarkKrautler

Copper Contributor

Oct 04, 2023

When I run that script I get the following results saying the computer names are not valid & to use a -ConnectionUri parameter? I'm not sure what that means, TBH.

PS C:\Temp\MKrautler> # Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "DC=PARCS,DC=local"

# Create a new CSV file
$CSVFile = "c:\Temp\PARCS-services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,ServiceName,ServiceDisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
Invoke-Command -ComputerName $Computer -ScriptBlock {
Get-Service -Filter "StartName != 'LocalSystem' AND NOT StartName LIKE 'NT Authority%' "
} | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
}

Directory: C:\Temp

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/4/2023 3:50 PM 0 PARCS-services_not_running_as_system.csv
Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

LainRobertson

Silver Contributor

Oct 05, 2023

MarkKrautler

Change line 13 from:

 Invoke-Command -ComputerName $Computer -ScriptBlock {

To:

 Invoke-Command -ComputerName ($Computer.Name) -ScriptBlock {

Cheers,

Lain

randriksen_

Brass Contributor

Oct 05, 2023

MarkKrautler

'Get-Service' doesn't contain the service user, you need to use 'Get-CIMInstance -Class Win32_Service'

https://www.commandline.ninja/use-powershell-to-find-windows-svcs-configured-to-run-as-another-user/

Try this modified version of LeonPavesic's script

# Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Citrix,OU=HCAA,DC=PACs,DC=local"

# Create a new CSV file
$CSVFile = "c:\temp\services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,Name,DisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
    try {
        Invoke-Command -ComputerName ($Computer.name) -ScriptBlock {
            Get-CIMInstance -Class Win32_Service | where-object StartName -notlike 'LocalSystem' | where-object StartName -notlike 'NT Authority%' 
        } | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
    } catch {
        Write-Host "Error connecting to $($Computer.name)" -ForegroundColor Red
    }
}

-Ole

Forum Discussion

Powershell to export list of all services not running as SYSTEM account on all domain computers

Resources