Listing Services Running as a User Account

You might want to identify services running as a user account for any number of reasons, including any of the following:

  • You are preparing for a migration and need to know what services and/or what computers will be affected when you migrate a particular user account.
  • The password for a particular service account needs to be changed, and you need to know which computers will be affected by that change.
  • You want to check to make sure that there aren’t services running as user accounts out there that you didn’t know about.

I’m sure that you can think of more reasons, but that’s enough for now. To accomplish this feat, we’re going to reach once more into the toolkit of WMIC, this time using the “wmic service” alias to query the service status and configuration of remote systems.

Our base WMIC command is something like this:

wmic service get Caption,StartName

This command lists all services, with the caption (friendly name) and security context (local system, local service, network service, or user account). That’s all well and good, but we only need those services that are running as user accounts. To do that, we’ll modify the command to look like this:

wmic service where (StartName!="LocalSystem" and 
StartName!="NT AUTHORITY\\LocalService" and 
StartName!="NT AUTHORITY\\NetworkService") 
get Caption,StartName

Now the results include only those services running as user accounts, or (if none match), the message “No instances available.” Note the double backslashes when checking for services running as LocalService or NetworkService; these are necessary on the command line.

Reusing the “for /f” trick shown here, we can build a more complex command to do the same thing for all computers in an OU:

for /f "tokens=1" %1 in ('dsquery computer 
"ou=Workstations,dc=example,dc=net" -o rdn -limit 0') do 
@wmic /node:%1 /failfast:on service where (StartName!="LocalSystem" 
and StartName!="NT AUTHORITY\\LocalService" and 
StartName!="NT AUTHORITY\\NetworkService") 
get Caption,StartName > c:\temp\svc-list-%1.txt

This command will create a list of files, one for each computer returned by the query, each of which contains a list of services running as user accounts. One new technique shown here is the creation of a text files that have the computer names returned from the Active Directory query embedded in the filename. Note that we’ve also incorporated the “/failfast:on” switch, to avoid delays due to computers that are turned off, out of the office, or otherwise unreachable.

With these text files, you then have the information you need to know what computers and/or services will be affected by password or account changes, and you can stay on top of new services being added to the network without your knowledge.

UPDATE: This weblog entry shows another way to get this information, this time without using WMIC (this may be useful for dealing with older computers that may not support WMIC).

Tags: , ,


  1. David M’s avatar

    I get the following error whenever I try to incorporate a “Not equal” operator like “!=”,
    Code = 0×80041017
    Description = Invalid query
    Facility = WMI
    and I get a syntax error if I try to use “” as my “not equal” operator. I can pipe the collected output into the “Find” command’s /V (not containing “LocalSystem”), and then pipe it into “Find” with “not containing” “LocalService”, etc. But this seems inelegant.

    Ahhh, I just discovered I could create a separate “command line-ish” environment by running wmic.exe. Within this, the “not” operator works.

  2. rob JAudon’s avatar


    Thanks for posting this article. I am a big fan of WMIC and it power. I wish there was a book solely on WMIC. Your article has triggered some thoughts on how I can use WMIC.

    Just wanted to say thanks.


  3. Zoltan’s avatar

    Great job, big help, thank you!

  4. David’s avatar

    wmic service where (StartName!=”LocalSystem”? and StartName!=”NT AUTHORITY\LocalService”? and StartName!=”NT AUTHORITY\NetworkServic
    e”?) get Caption,StartName

    Returns -

    Node – BBW-SUPPORT
    Code = 0×80041017
    Description = Invalid query
    Facility = WMI

    Can you help?

  5. Dean P’s avatar

    You can’t copy and paste this command from the web page into console because each return carriage counts as a command execution. You need to type out what has been given above onto one line in cmd.

  6. Mike’s avatar

    Thanks for the syntax primer! I was struggling with finding services running under domain accounts until I saw your note about using the double-backslash – I didn’t think about the quality of the backslash within this environment and this was just the hint needed.

    Much appreciated.

Comments are now closed.