Mr. Roboto

Secret Service

Here's a PowerShell tool that keeps close tabs on changes to important services.

• By Jeffery Hicks
• 06/01/2009

Based on my last few columns, I appear to be on a management and monitoring roll, so why stop now?

I imagine you have one or two services running on some business-critical servers that require constant attention. They need protection and someone to watch them to make sure they remain safe and running. You need "secret service" protection. This month, I have a PowerShell-based tool that will keep an eye on any important service and let you know when it changes.

The ServiceMon.ps1 file is a Windows PowerShell script that should work on PowerShell version 1.0 or the latest PowerShell version 2.0 community technology preview. The script creates a graphical Windows form and uses PowerShell to drive the underlying logic. The form file is included in the .ZIP file with the script, which you can download from Redmondmag.com (FindIT code: Roboto0609). The script uses Windows Management Instrumentation (WMI) to connect to a remote machine, so you must run it with credentials that have administrator rights on the remote machine.

Getting Started
When you first launch the script, it will query the local machine for all of its services:

$services=Get-WmiObject 
win32_service -computername 
$txtComputername.Text -ea 
"SilentlyContinue"

The value for the computername parameter comes from a text box control on the form. I'm using the common ErrorAction parameter with a value of SilentlyContinue so that if the computer can't be reached or there are errors, the script will continue running. The script will populate a drop-down box control with the display names of all services:

$services | foreach { $comboSer 
vices.Items.add($_.Displayname)   }

The list is sorted alphabetically to make it easier to find the service you wish to watch. Select a service from the list, and then click the Watch button. PowerShell will make a WMI query to retrieve the service object. This script has an array of service properties that I think are the most relevant, but of course you can modify that array:

$properties=@("Displayname","Na
me","State","StartMode","Start 
Name")

The "State" property will indicate whether or not the service is running. "StartMode" will indicate if the service is set to start automatically, and "StartName" is the account the service is running under. The script will get the current values for these properties and display them in the form.

Monitoring Made Easy
Now for the fun part.

You'll see a counter control, which has a default value. This value is the number of seconds before the script checks the service again. The refresh interval ranges from 10 to 120 in five-second intervals. Upon refresh, the script compares a saved version of the service with the new version. If any property value is different, a message is written-in a red font, so you can't miss it-to the form. You can see at a glance what changed and when. The message will remain until you pick another service or start a new scan.

Assuming you want to monitor a service on another computer, simply enter the computer name and click the Get Services button. This will populate the drop-down list with services for that machine. Set your refresh interval, pick a service and watch.

In its current version, the script doesn't support alternate credentials, even though PowerShell and the Get-WMIObject cmdlet that I'm using will. I'll leave it to you to make that change if required. This version also only watches a single service on a single server. However, you can run as many instances of the script as you'd like. Start a separate PowerShell session for each, navigate to the script directory and run the script. You might want to minimize the PowerShell window itself. It will remain blocked, meaning no other PowerShell command can run in that session until you close the form, which will terminate the script. Minimizing the PowerShell window has no effect on the form itself.

I hope that this secret service protection script will find a place in your administrative toolbox.