Service Control Freak
Services are invaluable, but be sure to keep them from taking over.
Services are awesome: They run in the background, quietly doing stuff that
makes Windows work better, like sharing files and folders. Unfortunately, services
are not-so-awesome when it comes to maintenance: Services logged onto by means
of a user account need their passwords changed on a periodic basis, and doing
so can be a nightmarish, completely manual task. Disabling unwanted services,
or changing a widespread service to use a different logon account, are less-commonly
performed tasks, but they're still a nuisance, or worse. The result? Companies
often don't even bother keeping their services updated, electing instead to
take the security and maintenance risk on the chin or, even worse, just run
every service as LocalSystem, effectively giving them near-Godlike powers on
servers and workstations.
Getting a Handle
Stop the madness. First, there are commercial tools out there that can make
service management completely automated. One such tool is Service Explorer from
ScriptLogic, a graphical
tool that lets you manage all the services in your enterprise with a few mouse
clicks. It'll even help inventory services, so that you know (rather than guessing)
which services are running on which machines. However, if there's no budget
for a third-party commercial tool, this month's free tools can still be a big
help. I'm giving you a set of command-line tools (written in VBScript), which
are designed to help automate service management. Run any of them with a /?
command-line argument to get syntax help; any of them can target a list
of computers from a text file (perfect for updating a service that's running
on a few servers, like SQL Server or Exchange Server), or can target computers
from Active Directory (based on OU membership). Add the /ping
argument to help speed up the tool's operation when one or more targeted computers
might not be reachable (turned off, for example), and add /verbose
to see detailed progress messages as the tool runs. Note that the tools perform
their magic using that old administrator's friend, Windows Management Instrumentation
(WMI); that means targeted computers will need to lower their shields (firewalls)
for the tools to be able to connect and do their job.
Here's what you get:
- ChangeServiceLogonAcct, which changes the logon account that a service is
- ChangeServiceLogonPassword, a must-have for any administrator
- ChangeServiceStartMode, which allows you to set a service to manual, disabled
- ListComputersUsingService, an invaluable tool that'll tell you which computers
(in your domain, usually) are running a given service
- ListServicesUsingAccount, which tells you all of the services that are
logging on using a given user account
- RemoveService (self-explanatory)
- StopDisableService, which stops and disables a service that you don't want
How It Works
For example, if you want to see which computers in your Sales OU are running
a service named MyService, you'd run something like ListComputersUsingService
/container:Sales /recurse /output:c:\list.txt. That'll actually save
the list to a text file named C:\List.txt, making a review of the script's findings
easier. The /recurse argument (available in all
the tools) processes sub-OUs as well.
For all their functionality, most of these tools come down to a single line of useful VBScript code. For example, here's an excerpt from the ChangeSer
Having connected to the specified service by using WMI, the oService
variable represents that service; the Change method
is used to change its logon password. The remaining 400-odd lines of code in
the tool is given over to reading AD, pinging and so forth; useful stuff, but
it's neat to see how one line of VBScript can effect such a powerful change.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.