Mr. Roboto

Service Control Freak

Services are invaluable, but be sure to keep them from taking over.

• By Don Jones
• 04/01/2006

Services are awesome: They run in the background, quietly doing stuff that makes Windows work better, like sharing files and folders. Unfortunately, services are not-so-awesome when it comes to maintenance: Services logged onto by means of a user account need their passwords changed on a periodic basis, and doing so can be a nightmarish, completely manual task. Disabling unwanted services, or changing a widespread service to use a different logon account, are less-commonly performed tasks, but they're still a nuisance, or worse. The result? Companies often don't even bother keeping their services updated, electing instead to take the security and maintenance risk on the chin or, even worse, just run every service as LocalSystem, effectively giving them near-Godlike powers on servers and workstations.

Getting a Handle
Stop the madness. First, there are commercial tools out there that can make service management completely automated. One such tool is Service Explorer from ScriptLogic, a graphical tool that lets you manage all the services in your enterprise with a few mouse clicks. It'll even help inventory services, so that you know (rather than guessing) which services are running on which machines. However, if there's no budget for a third-party commercial tool, this month's free tools can still be a big help. I'm giving you a set of command-line tools (written in VBScript), which are designed to help automate service management. Run any of them with a /? command-line argument to get syntax help; any of them can target a list of computers from a text file (perfect for updating a service that's running on a few servers, like SQL Server or Exchange Server), or can target computers from Active Directory (based on OU membership). Add the /ping argument to help speed up the tool's operation when one or more targeted computers might not be reachable (turned off, for example), and add /verbose to see detailed progress messages as the tool runs. Note that the tools perform their magic using that old administrator's friend, Windows Management Instrumentation (WMI); that means targeted computers will need to lower their shields (firewalls) for the tools to be able to connect and do their job.

Here's what you get:

• ChangeServiceLogonAcct, which changes the logon account that a service is using
• ChangeServiceLogonPassword, a must-have for any administrator
• ChangeServiceStartMode, which allows you to set a service to manual, disabled or automatic
• ListComputersUsingService, an invaluable tool that'll tell you which computers (in your domain, usually) are running a given service
• ListServicesUsingAccount, which tells you all of the services that are logging on using a given user account
• RemoveService (self-explanatory)
• StopDisableService, which stops and disables a service that you don't want running anymore

DownLoad Download this month's tool from www.ScriptingAnswers.com/roboto/col2.zip

How It Works
For example, if you want to see which computers in your Sales OU are running a service named MyService, you'd run something like ListComputersUsingService /container:Sales /recurse /output:c:\list.txt. That'll actually save the list to a text file named C:\List.txt, making a review of the script's findings easier. The /recurse argument (available in all the tools) processes sub-OUs as well.

For all their functionality, most of these tools come down to a single line of useful VBScript code. For example, here's an excerpt from the ChangeSer viceLogonPassword tool:

oService.change(,,,,,,,WScript.Arguments.Named("password"))

Having connected to the specified service by using WMI, the oService variable represents that service; the Change method is used to change its logon password. The remaining 400-odd lines of code in the tool is given over to reading AD, pinging and so forth; useful stuff, but it's neat to see how one line of VBScript can effect such a powerful change.