Find User-Based Service Accounts with PowerShell and Command Line

For the most part, Windows Server services run under generic system based accounts, such as LocalSystem or NT AUTHORITY\LocalService. But occasionally, a service needs to be run under a “real” user account, either domain or machine-based. Too often I’ve seen these running under an administrator account. In any event, you should know where these types of service accounts are being used.

Find User-Based Service Accounts with PowerShell

The first thing you might want to do is find out what accounts are currently being used. PowerShell is the easiest tool. We can use WMI to query all instances of the Win32_Service class and look at the StartName property. One approach might be to use Group-Object.

This gives me a nice distribution breakdown, but I can see there are a few services using a user account. If I know in advance what account to search for, I could run a PowerShell command like this:

A better approach would be to filter out all the system accounts. This is a little tricky with WMI filtering, but here’s something that should do the trick.

In my testing, I’ve found I need the compound filter to pick up accounts using the UPN format. But now, given a list of computernames, I could build a report like this.

This will create a simple CSV file which I can open in Excel.

Find User-Based Service Accounts with the Command Line

If you prefer your WMI in a CLI flavor, you can also use WMIC from a a CMD prompt.

WMIC can be a bit tricky, so if you are interested in using it, you might want to check out my articles on the subject. [Command Line WMI Part 1; Command Line WMI Part 2; Command Line WMI Part 3]

Now, if PowerShell isn’t an option for you and you find WMIC awkward, you could turn to the command line tool SC.EXE to retrieve the same information. If you suspect a service, it is pretty easy to check.

Scripting this to check all services is a bit more tedious, and after more time than I would have wanted, I came up with a batch file you could use. Don’t expect a speedy result like PowerShell, as the script has to get a list of all services and then get the configuration for each service and check the service start name.

But it works:


Personally, I’ll stick to PowerShell but I wanted to leave you with some options. In any event, now you should be able to identify what accounts your services are running under, and identify potential problems before they become major headaches. If you want to try the batch file, you can download it here.

Related Topics:

  • PowerShell

    Don't have a login but want to join the conversation? Sign up for a Petri Account