cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Powershell to export list of all services not running as SYSTEM account on all domain computers

MarkKrautler
Copper Contributor

‎Oct 04 2023 05:51 AM

‎Oct 04 2023 05:51 AM

Powershell to export list of all services not running as SYSTEM account on all domain computers

I need to see if there are any services running as service accounts and wanted to query all our domain computers to get the service name, what state is it in (Running/Disabled/Stopped), the server it is running on and what account is running the service. I am not sure the best way to proceed so I pieced together some Powershell code from the web but it's not working when I try to use the $Servers variable to search the OU (line 2) & store that info so the code can run on all the machines. I'm not great with PowerShell & don't know if it needs a FOR EACH or not? It DOES work when I comment line 2 out & uncomment the line that specifies individual computers (line 3), but there are 2000+ machines I need to query. How can I have the script search my entire domain & get the ServiceName, ServiceDisplayName, StartName, State & servername it is running on, then export that to a CSV? I've tried Googling, but unfortuantely nothing I have tried works, any help is greatly appreciated, thank you in advance!

 

 

 

# Get a list of all computers in the domain (you may need to customize this query)
$Servers = Get-ADComputer -Filter * -SearchBase "OU=Citrix,OU=HCAA,DC=PACs,DC=local"
# $Servers = ("cxap01", "msql01", "hwbr01")
$ServiceName =  @{ Name = 'ServiceName'; Expression = {$_.Name}}
$ServiceDisplayname = @{ Name = 'Service DisplayName';  Expression = {$_.Caption}}

Invoke-Command $Servers.servername -ScriptBlock {
        Get-CimInstance -Class Win32_Service -filter "StartName != 'LocalSystem' AND NOT StartName LIKE 'NT Authority%' " } | 
            Select-Object SystemName, $ServiceName, $ServiceDisplayname, StartMode, StartName, State | format-table -autosize

 

 

 

 

Labels:
1,152 Views
0 Likes
4 Replies
Reply
4 Replies
LeonPavesic

‎Oct 04 2023 07:23 AM

‎Oct 04 2023 07:23 AM

Re: Powershell to export list of all services not running as SYSTEM account on all domain computers

Hi @MarkKrautler,

to export a list of all services not running as the SYSTEM account on all domain computers you can try to use this PowerShell Skript:

 

 

# Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Citrix,OU=HCAA,DC=PACs,DC=local"

# Create a new CSV file
$CSVFile = "c:\temp\services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,ServiceName,ServiceDisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
    Invoke-Command -ComputerName $Computer -ScriptBlock {
        Get-Service -Filter "StartName != 'LocalSystem' AND NOT StartName LIKE 'NT Authority%' "
    } | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
}

 

To use the script, simply save it as a PowerShell script file (.ps1) and run it. The script should create a CSV file called services_not_running_as_system.csv in the c:\temp directory.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

0 Likes
Reply
MarkKrautler

‎Oct 04 2023 12:54 PM

‎Oct 04 2023 12:54 PM

Re: Powershell to export list of all services not running as SYSTEM account on all domain computers

When I run that script I get the following results saying the computer names are not valid & to use a -ConnectionUri parameter? I'm not sure what that means, TBH.

PS C:\Temp\MKrautler> # Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "DC=PARCS,DC=local"

# Create a new CSV file
$CSVFile = "c:\Temp\PARCS-services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,ServiceName,ServiceDisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
Invoke-Command -ComputerName $Computer -ScriptBlock {
Get-Service -Filter "StartName != 'LocalSystem' AND NOT StartName LIKE 'NT Authority%' "
} | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
}


Directory: C:\Temp


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/4/2023 3:50 PM 0 PARCS-services_not_running_as_system.csv
Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand

Invoke-Command : One or more computer names are not valid. If you are trying to pass a URI, use the -ConnectionUri parameter, or pass URI objects instead of strings.
At line:13 char:5
+ Invoke-Command -ComputerName $Computer -ScriptBlock {
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (System.String[]:String[]) [Invoke-Command], ArgumentException
+ FullyQualifiedErrorId : PSSessionInvalidComputerName,Microsoft.PowerShell.Commands.InvokeCommandCommand
0 Likes
Reply
LainRobertson

‎Oct 04 2023 05:04 PM

‎Oct 04 2023 05:04 PM

Re: Powershell to export list of all services not running as SYSTEM account on all domain computers

@MarkKrautler 

 

Change line 13 from:

 

 Invoke-Command -ComputerName $Computer -ScriptBlock {

 

To:

 

 Invoke-Command -ComputerName ($Computer.Name) -ScriptBlock {

 

Cheers,

Lain

0 Likes
Reply
randriksen_

‎Oct 05 2023 04:22 AM - edited ‎Oct 05 2023 04:25 AM

‎Oct 05 2023 04:22 AM - edited ‎Oct 05 2023 04:25 AM

Re: Powershell to export list of all services not running as SYSTEM account on all domain computers

 

@MarkKrautler 

 

'Get-Service' doesn't contain the service user, you need to use 'Get-CIMInstance -Class Win32_Service'

Use PowerShell to find Windows services configured to run as another user (commandline.ninja)

 

Try this modified version of @LeonPavesic's script 

 

 

# Get a list of all computers in the domain (you may need to customize this query)
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Citrix,OU=HCAA,DC=PACs,DC=local"

# Create a new CSV file
$CSVFile = "c:\temp\services_not_running_as_system.csv"
New-Item -ItemType File -Path $CSVFile

# Add the header row to the CSV file
Add-Content -Path $CSVFile -Value "SystemName,Name,DisplayName,StartMode,StartName,State"

# Iterate through each computer and get a list of all services not running as the SYSTEM account
foreach ($Computer in $Computers) {
    try {
        Invoke-Command -ComputerName ($Computer.name) -ScriptBlock {
            Get-CIMInstance -Class Win32_Service | where-object StartName -notlike 'LocalSystem' | where-object StartName -notlike 'NT Authority%' 
        } | Select-Object SystemName, Name, DisplayName, StartMode, StartName, State | Export-Csv -Path $CSVFile -Append -NoTypeInformation
    } catch {
        Write-Host "Error connecting to $($Computer.name)" -ForegroundColor Red
    }
}

 

 

-Ole

1 Like
Reply