CODEWITHSUNDEEP
servicewmi
safejrz
safejrz

Reputation: 544

How can I query WMI to know the name of the user that started a service?

I used several WMI queries in wbemtest to attempt finding out which user started a particular service. The ones that got me "this far" are presented here. I know that if I query the win32_service object like:

select * from win32_service where name like '%SERVICENAME%'

I obtain only one result (the service I'm looking for), then I double click it to browse the service properties, and found out there's a property called "StartName" which shows the name of the user that started it (that's what I want).

Now, the problem begins when I do:

 select StartName from win32_service where name like '%SERVICENAME%'

I get Win32_Service = <no key>:

wbemtest

Even without the where clause it shows the same.

What am I missing to make it work?

Upvotes: 2

Views: 8614

Answers (2)

Gabe
Gabe

Reputation: 56

I wrote a code for C# that actually Works.

    public Service GetServiceDetails(string serviceName)
    {
      using (var managementBaseObject = new ManagementObjectSearcher(new SelectQuery(string.Format("SELECT * FROM Win32_Service WHERE Name = '{0}'", serviceName))).Get())
      {
        ManagementObject mo = managementBaseObject.Cast<ManagementObject>().FirstOrDefault();

        if (mo == null) return null;

        var service = new Service
        {
          AcceptPause = mo["AcceptPause"] != null && (bool) mo["AcceptPause"],
          AcceptStop = mo["AcceptStop"] != null && (bool)mo["AcceptStop"],
          Caption =  mo["Caption"] != null ? mo["Caption"].ToString() : string.Empty,
          Description =  mo["Description"] != null ? mo["Description"].ToString() : string.Empty,
          DisplayName = mo["DisplayName"] != null ? mo["DisplayName"].ToString() : string.Empty,
          Name = mo["Name"] != null ? mo["Name"].ToString() : string.Empty,
          PathName = mo["PathName"] != null ? mo["PathName"].ToString() : string.Empty,
          ProcessId = mo["ProcessId"] != null ? Convert.ToInt32(mo["ProcessId"]) : 0,
          ServiceType = mo["ServiceType"] != null ? mo["ServiceType"].ToString() : string.Empty,
          Started = mo["Started"] != null && (bool)mo["Started"],
          StartMode = mo["StartMode"] != null ? mo["StartMode"].ToString() : string.Empty,
          StartName = mo["StartName"] != null ? mo["StartName"].ToString() : string.Empty,
          State = mo["State"] != null ? mo["State"].ToString() : string.Empty,
          Status = mo["Status"] != null ? mo["Status"].ToString() : string.Empty,
        };
        return service;
      }
    }

Upvotes: 2

Helen
Helen

Reputation: 97570

It's a display thing. Your query works, and if you double-click the result, you'll see the service's StartName:

wbemtest

I guess it happens because you don't SELECT the key property - Name. If you add Name to your query, you'll see Win32_Service.Name=name in the results.

wbemtest

By the way, in code you'll get both the SELECTed properties and key properties whether or not you query the key properties:

' VBScript example
strComputer = "." 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
Set colItems = objWMIService.ExecQuery( _
    "SELECT StartName FROM Win32_Service WHERE Name LIKE '%winmgmt%'",,48) 
For Each objItem in colItems 
    Wscript.Echo "Name: " & objItem.Name ' <-- Name is there, even though we didn't query it
    Wscript.Echo "StartName: " & objItem.StartName
Next

Upvotes: 3

Related Questions