Forum Discussion
Service control manager cached credentials
Our AD joined, ESU licensed win7 pro devices have a 4-5 application services that log on using and AD account as opposed to the local system account.
Code snippet listed here changing-the-password-on-a-serviceampaposs-user-account
shows how to update the password in Service Control Manager(SCM) through C++. I'm using ADSI in Powershell to update password in AD. However, can Powershell be utilised to update password cached in SCM too?
- You can use set-service -credential with PowerShell 7 (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2)
Example 8: Change credential of a service
This example changes the credentials that are used to manage a service.
$credential = Get-Credential
Set-Service -Name Schedule -Credential $credential
Get-Credential prompts for a username and password, and stores the credentials in the $credential variable. Set-Service uses the Name parameter to specify the Schedule service. The Credential parameter uses the $credential variable and updates the Schedule service.
You could use https://pscustomobject.github.io/powershell/howto/PowerShell-Create-Credential-Object/ to use it in a script (SecureString)- Animesh JoshiBrass ContributorThank you, Harm_Veenstra. We have Powershell 4.0. Its a legacy, locked-down kiosk type environment. Also, there's no option for getting users to input he new password so we'll be utilising SCCM task sequence to run a script and supply secure credentials.
I believe SC.exe and/or WMI should be able to update the password.- LainRobertsonSilver Contributor
Hi, Animesh.
As you've said, you can look to calling an external application such as sc.exe or leverage WMI.
If you're really keen on a native PowerShell approach, and in the specific context of an approach that will work with version 4.0, you'd be looking to make use of the platform invoke (commonly shortened to "p/invoke") method.
Here's a good example on stackoverflow for using the p/invoke approach specifically with Windows services.
Eventually, you'd be looking to leverage the ChangeServiceConfigW function to set the password. Most of the other parameters can simply be left as null, so it's not as bad as it looks.
c# - change windows service password - Stack Overflow
You'd be wise to wrap this in a static class definition but it's not strictly necessary.
Cheers,
Lain