A common task that a System Administrator might face in their day is restarting a service on a remote system. While this can be accomplish using the Services.MSC or another various GUI, you have to load the GUI, then connect to the remote system, locate the service and finally perform the action on the service.
There are a few ways that this can be done using WMI (Win32_Services) and using Get-Service along with Stop/Start/Restart-Service cmdlets.
Using WMI
The first method of managing a service that I will go into is using WMI to accomplish this task. First I will connect to the specific service that I want to manipulate, in this case, the windows update client service: wuauserv.
$service = Get-WmiObject -ComputerName DC1 -Class Win32_Service ` -Filter "Name='wuauserv'" $service
We now have our WMI service object for wuauserv. Lets take a look at all of the available methods for this object.
$Service | Get-Member -Type Method
The methods that we are most concerned with for this article are StartService() and StopService().
With this knowledge of what methods we can use to start and stop the remote service, lets go ahead and stop the service.
$service.stopservice()
Note the ReturnValue property that is returned here after calling the Stop() method. A 0 means that the stop method was successful. For more information on other return values, please check out this msdn page.
Unfortunately, the WMI object is not dynamic nor does it have a way to let you refresh the object to see if the Stop worked or not. With that, we have to perform the query again.
$service = Get-WmiObject -ComputerName DC1 -Class Win32_Service ` -Filter "Name='wuauserv'" $service
As you can see, the service has now been stopped. Starting a service is just as simple using the StartService() method, as seen below:
$service.StartService() $service = Get-WmiObject -ComputerName DC1 -Class Win32_Service ` -Filter "Name='wuauserv'" $service
Again, the return code is a 0, so we know it started successfully. More info on other return codes for the Start method can be found here.
Another way to use WMI to start/stop the services is Invoke-WMIMethod.
Invoke-WMIMethod
You can use the Invoke-WMIMethod cmdlet to perform the same type of action that we did using Get-WMIObject and calling the service object’s method.
Invoke-WmiMethod -Path "Win32_Service.Name='wuauserv'" ` -Name StopService -Computername DC1
Notice that the return object when using Invoke-WMIMethod is exactly the same as the method we used earlier.
Using existing cmdlets: Get-Service,Stop/Start/Restart-Service
One of the nice things that PowerShell can do both locally and remotely is query a service using the Get-Service cmdlet.
$service = get-service -ComputerName dc1 -Name wuauserv $service
This works just as well as the WMI method but returns a different object: System.ServiceProcess.ServiceController
Lets look at some of the methods that are available from this object:
$service | Get-Member -Type Method
Much like the WMI object, we have a Start() and Stop() method that we can use to manage the service object. But if you take a closer look, we also see a Refresh() object as well. While we have the same issue where the object doesn’t automatically update itself when the state changes, it does allow us to refresh the object and show us the new state without having to perform another query.
$service.Start() $service.Refresh() $service
As you can tell, this works rather nicely even though we do not get a return code of any type to let us know if this worked or not.
Ok, so I mentioned that you can also use Start/Stop/Restart-Service to accomplish the same type of service actions? But if you look at the parameters, you will not see a –Computername parameter that is so common in cmdlets that allow remote connections, such as Get-Service.
Get-Help Get-Service -Parameter Computername Get-Help Start-Service -Parameter Computername Get-Help Stop-Service -Parameter Computername Get-Help Restart-Service -Parameter Computername
So how can we use those cmdlets to manipulate the state of a remote service if there is no –Computername parameter? Fortunately, the cmdlets have an –InputObject parameter that allows us to supply the service object, even if it is a remote object to manipulate the state of the service.
Get-Help Start-Service -Parameter InputObject Get-Help Stop-Service -Parameter InputObject Get-Help Restart-Service -Parameter InputObject
Lets stop the Wuauserv service:
Stop-Service -InputObject $service -Verbose $service.Refresh() $service
Now I will start it up again:
Start-Service -InputObject $service -Verbose $service.Refresh() $service
Now for something we haven’t been able to do at all with the WMI or the System.ServiceProcess.ServiceController object is perform a restart of the service easily without having to call a Stop and then Start method. We can now use the Restart-Service cmdlet to accomplish this task.
Restart-Service -InputObject $service -Verbose $service.Refresh() $service
And of course, you can easily run these through the pipeline as well with no effort at all.
Get-Service -ComputerName dc1 -Name wuauserv | Stop-Service -Verbose Get-Service -ComputerName dc1 -Name wuauserv | Start-Service -Verbose Get-Service -ComputerName dc1 -Name wuauserv | Restart-Service -Verbose
In conclusion
So as you see, there are a number of ways that you can manipulate the state of a remote service with little to no effort at all. That is the beauty of PowerShell in that there are multiple paths to accomplishing the same goal and all can be done very easily!
Pingback: Episode 174 – Matt Graeber using PowerShell in Infosec « PowerScripting Podcast