How to query the account which has created a Windows service

Question

Good morning,
I'm writing installation procedure for a product, which embeds a Windows service. In order to install that service, a wrapper is used, referring to a configuration (java -jar wrapper.jar -i <product>.conf).

Now there seems to be some link towards the account: when a Windows service is installed as Account1, then it can't be started/stopped by Account2.

So, I (Account2) would like to interrogate the Windows service, and say "If you are installed by Account1, then you need to be uninstalled and I'll install you myself".

Now the question: how can I know which account has installed the mentioned Windows service? I've already tried:

• sc query <Service_Name>
• sc qc <Service_Name>
• sc qprivs <Service_Name>
• sc qmanagedaccount <Service_Name>
• sc quserservice <Service_Name>
• wmic service <Service_Name> list full

(You see, I'm getting desperate :-) )

None of the mentioned commands has given the username "Account1".

Does anybody know how to do this?

Answer 1

How can I know which account has installed a Windows service?

You can use wevtutil to retrieve this information:

Retrieve information about event logs and publishers. Archive logs in a self-contained format, Enumerate the available logs, Install and uninstall event manifests, run queries, Exports events (from an event log, from a log file, or using a structured query) to a specified file, Clear event logs.

The event you need to look for is Event ID 4697: A service was installed in the system.:

A new service was installed by the user indicated in the subject. Subject often identifies the local system (SYSTEM) for services installed as part of native Windows components and therefore you can't determine who actually initiated the installation.

Subject:

The user and logon session that performed the action.

• Security ID: The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or - in the case of local accounts - computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Service Information:

• Service Name: the internal system name of the new service.Use "sc query" to get a cross reference of service names and their more familiar display names.

The following command will show the Account Name for the last created service:

wevtutil query-events System /count:1 /rd:true /format:text /q:"Event[System[(EventID=4697)]]"

If you created the service using the sc create command, then you will need to search for Event ID: 7045 Source: service control manager and look for User Name:

wevtutil query-events System /count:1 /rd:true /format:text /q:"Event[System[(EventID=7045)]]"

Example:

> sc create Notepad binpath= c:\windows\system32\Notepad.exe
[SC] CreateService SUCCESS

> wevtutil query-events System /count:1 /rd:true /format:text /q:"Event[System[(EventID=7045)]]"
Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2017-04-07T14:35:32.600
  Event ID: 7045
  Task: N/A
  Level: Information
  Opcode: N/A
  Keyword: Classic
  User: S-1-5-21-1699878757-1063190524-3119395976-1000
  User Name: Hal\DavidPostill
  Computer: Hal
  Description:
A service was installed in the system.

Service Name:  Notepad
Service File Name:  c:\windows\system32\Notepad.exe
Service Type:  user mode service
Service Start Type:  demand start
Service Account:  LocalSystem

---

Further Reading

• An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
• sc - Service Control - Create, Start, Stop, Query or Delete any Windows SERVICE.
• wevtutil - Windows Events Command Line Utility.