Forum Discussion

Animesh Joshi's avatar
Animesh Joshi
Brass Contributor
Apr 11, 2022

Service control manager cached credentials

Our AD joined, ESU licensed win7 pro devices have a 4-5 application services that log on using and AD account as opposed to the local system account.
Code snippet listed here changing-the-password-on-a-serviceampaposs-user-account

shows how to update the password in Service Control Manager(SCM) through C++. I'm using ADSI in Powershell to update password in AD. However, can Powershell be utilised to update password cached in SCM too?

  • You can use set-service -credential with PowerShell 7 (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2)

    Example 8: Change credential of a service
    This example changes the credentials that are used to manage a service.

    $credential = Get-Credential
    Set-Service -Name Schedule -Credential $credential
    Get-Credential prompts for a username and password, and stores the credentials in the $credential variable. Set-Service uses the Name parameter to specify the Schedule service. The Credential parameter uses the $credential variable and updates the Schedule service.

    You could use https://pscustomobject.github.io/powershell/howto/PowerShell-Create-Credential-Object/ to use it in a script (SecureString)
    • Animesh Joshi's avatar
      Animesh Joshi
      Brass Contributor
      Thank you, Harm_Veenstra. We have Powershell 4.0. Its a legacy, locked-down kiosk type environment. Also, there's no option for getting users to input he new password so we'll be utilising SCCM task sequence to run a script and supply secure credentials.
      I believe SC.exe and/or WMI should be able to update the password.
      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        Animesh Joshi 

         

        Hi, Animesh.

         

        As you've said, you can look to calling an external application such as sc.exe or leverage WMI.

         

        If you're really keen on a native PowerShell approach, and in the specific context of an approach that will work with version 4.0, you'd be looking to make use of the platform invoke (commonly shortened to "p/invoke") method.

         

        Here's a good example on stackoverflow for using the p/invoke approach specifically with Windows services.

         

        Eventually, you'd be looking to leverage the ChangeServiceConfigW function to set the password. Most of the other parameters can simply be left as null, so it's not as bad as it looks.

         

        c# - change windows service password - Stack Overflow

         

        You'd be wise to wrap this in a static class definition but it's not strictly necessary.

         

        Cheers,

        Lain

Resources