Table of Contents
Do you know what the service logon accounts are? The services are background processes that keep running without any user interface in the Windows operating system. These services are often set up to run under a particular user account, which we call a service logon account or a service account. This service account determines the security context in which service(s) run.
Note that providing sufficient permissions can change this service to any other account (must exist in Control Panel -> User Accounts on your machine). We can do it using the GUI of the Service console, but this tutorial is focused on how to do it using PowerShell. So, let’s dive into the possible ways of doing it.
You must run PowerShell as an administrator to use the following solutions.
Using Set-Service Cmdlet [PowerShell 6.0+]
Use Set-Service Cmdlet to change the service logon account using PowerShell. You can only get the advantage of this cmdlet to change the logon service account if you are using PowerShell version 6 or higher because we use the -Credential parameter that was introduced in PowerShell 6.0.
|
1 2 3 |
Set-Service -Name "XboxGipSvc" -Credential (Get-Credential) |
|
1 2 3 4 5 6 |
PowerShell credential request Enter your credentials. User: DESKTOP-THAT\Tahir Password for user DESKTOP-THAT\Tahir: **** |
The Set-Service cmdlet is used to start, stop, & suspend the service and modifies its properties. The -Name parameter was used to specify the service name for which we wanted to change the service logon account. Wildcard characters are prohibited here, but you can use the pipeline to send the service name to the Set-Service cmdlet. In the above example, the "XboxGipSvc" is the service name; don’t forget to replace it with your service name.
The -Credential parameter was used to specify the account used by a service as a Service Logon Account. These account credentials were retrieved using the Get-Credential cmdlet (don’t forget to enclose it within ()). The credentials are stored in a PSCredential object, and the password is stored as a SecureString.
In the above code, the Set-Service cmdlet asked for the User for which we have to enter as Domain\User and a Password. Here, Domain is the PC name that you can find in Device Specifications under This PC -> Properties, and User is the user account name. You will see a string of * if you would have set the password for the given user; otherwise, hit Enter to continue.
If you use a PowerShell version of less than 6.0, you can use any of the following solutions.
Using Get-WmiObject Cmdlet
To change service logon account using PowerShell:
- Store user name, password (if any) and service name in separate variables.
- Use the
Get-WmiObjectcmdlet to get a WMI object for the specified service. - Use the
StopService()method to stop service to avoid inconvenience and store the returned value in a variable. - Use conditionals (
if-elsestatements) with the-eqoperator to check if theReturnValueproperty of the variable created in the previous step equals"0"or"5". Otherwise, move to theelseblock. - Use the
Start-Sleepcmdlet to wait for15seconds to let the service stop completely. - Use the
Change()method to change the logon service account and store the returned value in a variable. - Use the
ifstatement with the-eqoperator to check if theReturnValueproperty of the variable created in the previous step equals"0". Otherwise, move to theelseblock. - Print the customised messages using the
Write-Hostcmdlet in allif-elseblocks.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$username="DESKTOP-THAT\Tahir" $password="1234" $serviceName="XboxGipSvc" $serviceObj = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" $stopServiceStatus = $serviceObj.StopService() if ($stopServiceStatus.ReturnValue -eq "0") { Write-host "The '$serviceName' service Stopped." -f Green } elseif($stopServiceStatus.ReturnValue -eq "5"){ Write-host "The '$serviceName' service is already stopped. Error code: $($stopServiceStatus.ReturnValue)" -f Yellow } else { Write-host "Failed to Stop the '$serviceName' service. Error code: $($stopServiceStatus.ReturnValue)" -f Red } Start-Sleep -Seconds 15 $changeLogonAccountStatus = $serviceObj.Change($null,$null,$null, $null,$null,$null, $username,$password,$null, $null,$null) if ($changeLogonAccountStatus.ReturnValue -eq "0") { Write-host "The logon account changed successfully for the '$serviceName' service." -f Green }else { Write-host "Failed to change the logon account for the '$serviceName' service. Error code: $($changeLogonAccountStatus.ReturnValue)" -f Red } |
|
1 2 3 4 |
The 'XboxGipSvc' service Stopped. The logon account changed successfully for the 'XboxGipSvc' service. |
First, we defined the $username, $password, and $serviceName variables containing the username, password (if any; otherwise, it would be an empty string as ""), and the service name. Then, we used the Get-WmiObject cmdlet to get the Windows Management Instrumentation (WMI) object for the given service and stored this object in the $serviceObj variable.
In the above example, the WMI object ($serviceObj) denoted the Windows service that would have its logon account changed. In the above script, we used the -Class parameter to specify the class, -Win32_Service.
Then, we used the StopService() method of the $serviceObj object to stop the service. However, the if-else block will be executed based on the returned value of StopService(), which we stored in the $stopServiceStatus variable. If it stopped successfully, then the value of the ReturnValue property would be "0", and the if block would be executed to display a message in green colour.
If the service is stopped, the value of the ReturnValue property would be "5", causing the elseif block’s execution; otherwise, the else block would be executed. Inside the conditionals, we used the Write-Host cmdlet with the format operator (-f) to print messages in green, yellow, and red colour based on if they are success, warning, and error.
After that, we used the Start-Sleep cmdlet to wait for 15 seconds to let the service end completely. Then, we used the Change() method of $serviceObj object to change the service logon account and stored the returned value in a variable named $changeLogonAccountStatus. The Change() method took 11 arguments. All the arguments were $null excluding arguments seven and eight, which were the $username and $password.
Next, we used the if statement with the -eq operator to check if the ReturnValue property of the $changeLogonAccountStatus equals "0". If it is, then we used Write-Host to display a message in green stating the service logon account has been changed; otherwise, the else block was executed, showing an error message in red.
Using the sc.exe Command
Use the sc.exe command to change the service logon account using PowerShell.
|
1 2 3 4 5 6 7 |
$serviceName = "XboxGipSvc" $username = "DESKTOP-THAT\Tahir" $password = "1234" $arguments = "config $serviceName obj= <code>"$username</code>" password= <code>"$password</code>"" Start-Process -FilePath "sc.exe" -ArgumentList $arguments -Wait -NoNewWindow |
|
1 2 3 |
[SC] ChangeServiceConfig SUCCESS |
First, we defined three variables to hold the username, password, and service name; it is the same as we did in the previous example. Then, we prepared a string having command line arguments that we wanted to pass to the sc.exe command-line tool. We stored this string in the $arguments variable.
The $arguments was constructed using the values of $username, $password, and $serviceName variables. Note that we used the backtick to escape double quotes before and after the $username and $password to pass them to sc.exe as literal values.
Then, we used the Start-Process cmdlet to start a new process running the sc.exe command-line tool with the given $arguments using the -ArgumentList parameter. Next, the -FilePath parameter specified the path to the sc.exe executable, while the -Wait parameter ensured the script waited for the sc.exe command to finish (complete) before continuing.
Finally, the -NoNewWindow parameter checked that sc.exe is run in the same PowerShell console window. Overall, the code modifies the service logon account for the "XboxGipSvc" service; don’t forget to replace this service name if you adopt this solution.
That’s all about PowerShell change service logon account.
