The Scripting Wife Uses PowerShell to Find Service Accounts

Summary: The Scripting Wife interrupts Brahms to learn how to use Windows PowerShell to find service accounts and service start modes.

Microsoft Scripting Guy, Ed Wilson, is here. One of life’s real pleasures is sitting around a fireplace, listening to a Brahms concerto, and sipping a cup of chamomile tea. I like to add a bit of local honey, and drop in a cinnamon stick. So here I am…mellow and as relaxed as a cat lying in a bay window on a warm summer afternoon. The Charlotte SQL User Group meeting tonight will be awesome. We have not seen Chris Skorlinski (the speaker) since the Raleigh SQL Saturday, so we are excited to go. The Scripting Wife and I will have a great time, and it is nice chance to see some friends we have not seen for a while.

Anyway, now it is time for a warm fire, a little Brahms, and a cup of warm (but not boiling) tea. About to nod off, I was suddenly startled back into reality as the overhead light suddenly switched on.

“How can you see in here in the dark,” the Scripting Wife exclaimed.

“There was nothing to see—I was listening to Brahms,” I began.

“You need to turn that racket down. The neighbor’s dog is beginning to howl. I think he prefers Trace Adkins to that classical stuff anyway,” she continued, “As long as you are awake, I have a problem with a Windows PowerShell command.”

“I see. I think it is you who likes Trace Adkins.”

“Yep, but don’t sidetrack me with talk about Trace Adkins, I need to be prepared for the 2012 Scripting Games so I do not embarrass you or me. Now back to what I came to ask you. I am trying to figure out what account a service uses to start, and I don’t see it. “


“And nothing. I type Get-Service, and I do not see anything about service user accounts.”

“Show me your command,” I wearily asked.

“It is right here. Nothing hard…see?”

She plopped down beside me on the sofa and showed me her laptop. She had typed the single command shown here.


The command and the output from the command are shown in the image that follows.

Image of command output

“You know that there is more information don’t you?” I asked.

“Well, duh,” she said. “OK, I will clear the screen and send the output to the Format-List cmdlet.”

Here is what the Scripting Wife did to clear the screen and to obtain all the information available from the Get-Service cmdlet.

  1. She cleared the screen by using the Clear-Host command. But instead of typing Clear-Host, she used the cls shortcut command instead.
  2. Next, she pressed the Up arrow one time to retrieve the previous Get-Service command.
  3. She then typed a space <space> by tapping the Space bar one time, and then she typed a pipe character (the pipe character | is located above the Enter key on my keyboard).
  4. She then typed a space and Format-List * after the pipe character.

The complete command is shown here.

Get-Service | Format-List *

The command and the associated output from the command are shown in the image that follows.

Image of command output

“OK. I am looking at this output, and I still do not see anything about the service account that a service uses to start up,” she complained.

“Well, I did not say it was there, did I? I just asked you if you had looked at all of the information that the Get-Service cmdlet provides,” I stated. “To find the service account start-up information, you need to use WMI. Remember yesterday when we talked about Using PowerShell to Get Hardware Information? You can use the same technique today as you used yesterday.”

The Scripting Wife thought for a few seconds, and then she typed the following command.

Get-WmiObject –list *service*

“Wow, that is a lot of information,” she exclaimed. She turned the laptop monitor so I could look at the display. Indeed, as is shown here, it is a lot of information.

Image of command output

“Use the same technique that you used yesterday to find the WMI class you need to work with services,” I prompted.

Within a few minutes, the Scripting Wife was pointing at Win32_Service.

“Now use the Get-WmiObject cmdlet to query that WMI class,” I said.

It did not take her long to modify her command line to query the Win32_Service WMI class. Here is the command she composed.

Get-WmiObject Win32_Service

The command and the associated results are shown in the image that follows.

Image of command output

“OK, so where are the service accounts?” she asked.

“Remember, you need to use the same technique that you used with the Get-Service cmdlet to retrieve all the information,” I said.

She thought for a bit, then pressed the Up arrow to retrieve the previous command. Then she added a pipeline character and the Format-List cmdlet. The revised command is shown here.

Get-WmiObject win32_service | format-list *

The command and its associated output are shown in the image that follows.

Image of command output

“So where is the service account name?” she asked.

“Look closely at the output. See where it says StartName? That is the service account. See where it says StartMode? That is the way the service starts,” I said, “Why don’t you create a table with just the Name, StartName, and StartMode.”

This time the Scripting Wife did not hesitate. She first cleared the screen, then used the Up arrow to retrieve the previous command. She then edited it by changing it to a Format-Table command. The command that she arrived at is shown here with its associated output.

Image of command output

“That’s cool,” she said.

And with that, she was gone. Just in time for the Andante movement in D-major. Brahms may not have had Windows PowerShell in mind when he wrote, but somehow it seems to fit.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (21)

  1. I like so much the "pipe" option now in PowerShell ..

  2. jrv says:

    Start small and build tall.

    gwmi win32_service |select name, startname|export-csv file.csv -notype

  3. K_Schulte says:

    Hi Teresa,

    that's cool 🙂

    It looks like you were exercising for the next scripting games 2012sg!

    This will surely be some stuff, we may prepare for!

    I should reread some of the "old" scripts …

    Klaus (Schulte)

  4. Vern_Anderson says:

    once you discover the properties you want form the "list" then you can specify the output…

    Get-WmiObject win32_service | Format-List DisplayName,StartName

  5. GreyDuck says:

    Well, that does EXACTLY what I've spent the last hour and some-odd looking for… a way to enumerate those service accounts so I can then 'grep' for a particular username. Sweet!

  6. Dave says:

    The command works great. How would I then export the data to a CSV so I can weed out information that I don't need. I'm looking for custom service accounts, not just the built in ones and when I add the | Export-csv c:temptest.csv the information comes back with hexidecimal information and not what's output on the screen.

  7. art says:

    Awseome.  Thanks for taking the time to teach us.

  8. J.Bozman says:

    Thank you so much!  I had no idea how I was going to figure out how to find what service accounts were being used. Not only did you show me how, I learned a bit about scripting too.

  9. Thanks for this post says:

    when I run this script:

    get-wmiobject -query "select name, startname from win32_service where name = 'mssqlserver'" -computername server1, server2 | format-table

    I get too many columns, but when I remove the "Query" I get only the columns I request.

    Any idea how I would do that?

    I just want to around all our servers and list the service account name for our sql services.

  10. Zay says:

    wow, that is awesome. How would I use the same procedure to find a service account info for SQL service on remote computers?

  11. John Bruce says:

    Thanks for this, very helpful… is there anyway to show the status of the service e.g. running, stopped,

    notice that the: “Get-WmiObject Win32_Service | Format-Table name, startname, startmode, status” just shows “ok”

  12. Amshru says:

    Will this script work for Win 2003 where powershell not installed. If i run this script from my Win7 for multiple Win 2003 & 2008 servers?

  13. Stefan Falk says:

    One can find this with a bit of PowerShell/WMI experience, but I have to ask: Why were such often needed properties as start mode and service account not part of Get-Service from V1.0 on? Or, seen from the opposite direction, why is there a Get-Service
    Cmdlet at all if WMI has all we need, and we need WMI often instead of Get-Service?

    Conclusion: Please extend Get-Service to make people’s life a bit easier again! PowerShell is so tremendously useful, but this would be a welcome additon I believe.

    Best Regards,
    Stefan Falk

  14. Brandioni says:

    how do you filter service accounts that are NOT run by NT authority or LocalSystem so as to show only custom service accounts

  15. says:

    I want to parse the results for a specific user account. How do I do this?

  16. DK says:

    Hi All,

    How do I list out the services which runs with a local account on a computer?

  17. Chandan says:

    Hi All, I am very much new to power shell. We regularly need to get the below details. It would be great if someone can help us with few command or a script for the below items. Need to get all details for particular local user(for eg.Test) in the servers.

    *Is it disabled?
    *Member of?
    *If used by any service?
    *If password change on logon is selected.

    Thanks in advance and quick help will be appreciated.

  18. zmottie says: if you have Powershell 3 and you want to parse for a specific user you can do:

    ? is a shortcut for ‘where-object’

    get-wmiobject win32_service | ? startname -Like "wildcardswork*" | ft name,startname

    @DK similarly you can likely search using

    get-wmiobject win32_service | ? startname -Like "COMPUTER*" | ft name,startname

  19. JohnLBevan says:

    To get the account used by a specific service on a specific machine:

    Get-WmiObject -ComputerName $MyServer -Class ‘win32_service’ -Filter {Name = $MyService} | select StartName

    NB: In the filter we’re creating a WQL query; not a PowerShell one. As such we use the equals character instead of

    PS’s `-eq`.

  20. JohnLBevan says:

    @Stefan: Regarding properties which don’t currently exist in PowerShell’s Get-Service cmdlet, you can request such on Microsoft Connect:

    Someone’s already requested that the StartType property be added / that’s to be included in Windows Server 2016:

    I suspect other properties have also been added, such as the service’s account; but can’t see a request for it or any documentation on the updated Get-Service cmdlet’s new abilities.

Skip to main content