Mr. Roboto

Secret Service

Here's a PowerShell tool that keeps close tabs on changes to important services.

Based on my last few columns, I appear to be on a management and monitoring roll, so why stop now?

I imagine you have one or two services running on some business-critical servers that require constant attention. They need protection and someone to watch them to make sure they remain safe and running. You need "secret service" protection. This month, I have a PowerShell-based tool that will keep an eye on any important service and let you know when it changes.

The ServiceMon.ps1 file is a Windows PowerShell script that should work on PowerShell version 1.0 or the latest PowerShell version 2.0 community technology preview. The script creates a graphical Windows form and uses PowerShell to drive the underlying logic. The form file is included in the .ZIP file with the script, which you can download from Redmondmag.com (FindIT code: Roboto0609). The script uses Windows Management Instrumentation (WMI) to connect to a remote machine, so you must run it with credentials that have administrator rights on the remote machine.

Getting Started
When you first launch the script, it will query the local machine for all of its services:

$services=Get-WmiObject 
win32_service -computername 
$txtComputername.Text -ea 
"SilentlyContinue"

The value for the computername parameter comes from a text box control on the form. I'm using the common ErrorAction parameter with a value of SilentlyContinue so that if the computer can't be reached or there are errors, the script will continue running. The script will populate a drop-down box control with the display names of all services:

$services | foreach { $comboSer 
vices.Items.add($_.Displayname)   }

The list is sorted alphabetically to make it easier to find the service you wish to watch. Select a service from the list, and then click the Watch button. PowerShell will make a WMI query to retrieve the service object. This script has an array of service properties that I think are the most relevant, but of course you can modify that array:

$properties=@("Displayname","Na
me","State","StartMode","Start 
Name")

The "State" property will indicate whether or not the service is running. "StartMode" will indicate if the service is set to start automatically, and "StartName" is the account the service is running under. The script will get the current values for these properties and display them in the form.

Monitoring Made Easy
Now for the fun part.

You'll see a counter control, which has a default value. This value is the number of seconds before the script checks the service again. The refresh interval ranges from 10 to 120 in five-second intervals. Upon refresh, the script compares a saved version of the service with the new version. If any property value is different, a message is written-in a red font, so you can't miss it-to the form. You can see at a glance what changed and when. The message will remain until you pick another service or start a new scan.

Assuming you want to monitor a service on another computer, simply enter the computer name and click the Get Services button. This will populate the drop-down list with services for that machine. Set your refresh interval, pick a service and watch.

In its current version, the script doesn't support alternate credentials, even though PowerShell and the Get-WMIObject cmdlet that I'm using will. I'll leave it to you to make that change if required. This version also only watches a single service on a single server. However, you can run as many instances of the script as you'd like. Start a separate PowerShell session for each, navigate to the script directory and run the script. You might want to minimize the PowerShell window itself. It will remain blocked, meaning no other PowerShell command can run in that session until you close the form, which will terminate the script. Minimizing the PowerShell window has no effect on the form itself.

I hope that this secret service protection script will find a place in your administrative toolbox.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.

Featured

  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.