Determine the Start Time of a Windows Service with PowerShell

Recently, I was asked to setup a scheduled task or job to restart specific services on certain servers each night and while that’s simple, how do you know for sure the services were indeed restarted? One way is to determine how long a service has been running or when they were started. The dilemma is the necessary information isn’t available using the Get-Service cmdlet or with CIM or WMI using the Get-CimInstance or Get-WmiObject cmdlets with the Win32_Service class.

The good news is that every Windows service that’s running has an underlying process and the start time of a process can be determined with either the Get-Process cmdlet or the WMI Win32_Process class. All you have to do us match up the services to the corresponding process.

Get-Service doesn’t include the process id so I had to resort to using WMI to retrieve the service information so the process id can be retrieved. A PowerShell one-liner can be used to retrieve the information I was looking for.

Get-CimInstance -ClassName Win32_Service -PipelineVariable Service |
ForEach-Object {
    Get-Process -Id $_.ProcessId |
    Select-Object -Property @{label='Status';expression={$Service.State}},
                            @{label='Name';expression={$Service.Name}},
                            @{label='DisplayName';expression={$Service.DisplayName}},
                            StartTime
}

That one-liner could simply be run inside of Invoke-Command to retrieve the same information from remote systems, but I decided to turn it into a function instead. My first iteration was simple:

function Get-MrService {
    [CmdletBinding()]
    param (
        [string]$Name
    )

    $Params = @{}

    if ($PSBoundParameters.Name) {
        $Params.Filter = "Name = '$Name'"
    }

    $Services = Get-CimInstance -ClassName Win32_Service @Params

    foreach ($Service in $Services) {
        $Process = Get-Process -Id $Service.ProcessId

        [pscustomobject]@{
            Status = $Service.State
            Name = $Service.Name
            DisplayName = $Service.DisplayName
            StartTime = $Process.StartTime
        }
    }

}

When adding remoting within the function itself, I ran into a problem where the services were retrieved from the remote system, but it was trying to match them up to local processes so a little rework was required.

In the end, I decided to use CIM sessions for remote connectivity so the part of the function which previously used the Get-Process cmdlet was changed to use Get-CimInstance with the Win32_Process class.

#Requires -Version 3.0
function Get-MrService {

<#
.SYNOPSIS
    Gets the services on a local or remote computer.

.DESCRIPTION
    The Get-MrService function gets objects that represent the services on a local computer or on a remote computer,
    including running and stopped services. You can direct this function to get only particular services by specifying
    the service name of the services.

.PARAMETER Name
    Specifies the service names of services to be retrieved. Wildcards are permitted. By default, this function gets
    all of the services on the computer.

 .PARAMETER CimSession
    Specifies the CIM session to use for this cmdlet. Enter a variable that contains the CIM session or a command that
    creates or gets the CIM session, such as the New-CimSession or Get-CimSession cmdlets. For more information, see
    about_CimSessions.

.EXAMPLE
    Get-MrService -Name bits, w32time

.EXAMPLE
    Get-MrService -CimSession (New-CimSession -ComputerName Server01, Server02) -Name Win*

.INPUTS
    None

.OUTPUTS
    PSCustomObject

.NOTES
    Author:  Mike F Robbins
    Website: http://mikefrobbins.com
    Twitter: @mikefrobbins
#>

    [CmdletBinding()]
    param (
        [ValidateNotNullOrEmpty()]
        [string[]]$Name = '*',

        [Microsoft.Management.Infrastructure.CimSession[]]$CimSession
    )

    $ServiceParams = @{}

    if ($PSBoundParameters.CimSession) {
        $ServiceParams.CimSession = $CimSession
    }

    foreach ($n in $Name) {
        if ($n -match '\*') {
            $n = $n -replace '\*', '%'
        }

        $Services = Get-CimInstance -ClassName Win32_Service -Filter "Name like '$n'" @ServiceParams

        foreach ($Service in $Services) {

            if ($Service.ProcessId -ne 0) {
                $ProcessParams = @{}

                if ($PSBoundParameters.CimSession) {
                    $ProcessParams.CimSession = $CimSession | Where-Object ComputerName -eq $Service.SystemName
                }

                $Process = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = '$($Service.ProcessId)'" @ProcessParams
            }
            else {
                $Process = ''
            }

            [pscustomobject]@{
                ComputerName = $Service.SystemName
                Status = $Service.State
                Name = $Service.Name
                DisplayName = $Service.DisplayName
                StartTime = $Process.CreationDate
            }

        }

    }

}

I also ran into a problem where all of the systems were being queried for the process id of every service instead of just the ones running on that particular system. I narrowed down which CIM sessions were being queried which resolved that problem.

Get-MrService -Name msdtc, bits, w32time, winrm |
Format-Table -AutoSize

$CimSession = New-MrCimSession -ComputerName dc01, sql08, sql14

Get-MrService -CimSession $CimSession -Name msdtc, bits, w32time, winrm |
Sort-Object -Property ComputerName, Name |
Format-Table -AutoSize

service-starttime1a.jpg

Although this function requires PowerShell 3.0 or higher on the system it’s being run from, since I chose to use CIM sessions for remote connectivity instead of simply wrapping the commands inside of PowerShell remoting, I’m able to target machines using either WSMan or DCom. For more information on that topic, see my Targeting Down Level Clients with the Get-CimInstance PowerShell Cmdlet blog article.

The previous example takes advantage of my New-MrCimSession function which automatically determines if a system is able to use WSMan otherwise it automatically falls back to using DCom. More information about that function can be found in my PowerShell Function to Create CimSessions to Remote Computers with Fallback to Dcom blog article.

The Get-MrService function shown in this blog article can be downloaded from my PowerShell repository on GitHub.

ยต