How to Find Which Services are Running Under a Specific Account in Batch Script
Security auditing often requires knowing exactly "who" is running what. In Windows, services don't just "run", they execute under the identity of a specific user account. While many use system defaults like LocalSystem, others might be configured to use a domain user or a local service account. Identifying services running under a high-privilege account (like a Domain Admin) or a specific service user is a critical task for system hardening and compliance.
This guide will explain how to use the wmic command to find and list all services associated with a specific "Log On" account in a Batch script.
The Tool: WMIC Service StartName
The most precise way to filter services by their account identity is using the wmic (Windows Management Instrumentation Command-line) utility. The specific attribute we need to query is StartName.
Basic Implementation
To find all services running under the LocalSystem account, you can use this single line:
@echo off
set "TargetAccount=LocalSystem"
echo [AUDIT] Services running under %TargetAccount%:
echo ------------------------------------------------
wmic service where "StartName='%TargetAccount%'" get Name, DisplayName, State
if %errorlevel% neq 0 (
echo.
echo [INFO] No services found or query failed.
)
echo.
pause
Standard Windows Account Identifier Reference
When searching for standard Windows accounts, you must use their exact internal names. Note that some are localized depending on your system language, but the following are the standard English identifiers:
| Account Type | StartName Value |
|---|---|
| Local System | LocalSystem |
| Local Service | NT AUTHORITY\LocalService |
| Network Service | NT AUTHORITY\NetworkService |
| Domain User | DOMAIN\Username |
| Local User | .\Username |
Script: Auditing for Custom Service Accounts
In many corporate environments, you use specific service accounts (e.g., CORP\Svc_SQL). This script will list all services using a custom account provided by the user.
@echo off
setlocal
set /p "svcAccount=Enter the account name (e.g., DOMAIN\User): "
if not defined svcAccount (
echo [ERROR] No account name entered.
pause
exit /b 1
)
echo.
echo [AUDIT] Searching for services running as: %svcAccount%...
echo.
:: We use PowerShell because WMIC natively struggles with UTF-16 console rendering and is deprecated on modern Windows OS.
powershell -NoProfile -Command "$s = Get-WmiObject Win32_Service -Filter \"StartName='$($env:svcAccount.Replace('\','\\'))'\" -ErrorAction SilentlyContinue; if ($s) { $s | Format-Table Name, DisplayName, StartMode, State -AutoSize } else { Write-Host \"[INFO] No services found running under '$env:svcAccount'.\" }"
echo.
pause
endlocal
Advanced Logic: Finding "Non-System" Services
For a security auditor, the most interesting services are those that aren't running as the standard system accounts. This script filters out the three default accounts to reveal custom service identities.
@echo off
echo [SECURITY] Listing services running under non-standard accounts...
echo.
wmic service where "StartName!='LocalSystem' and StartName!='NT AUTHORITY\\LocalService' and StartName!='NT AUTHORITY\\NetworkService'" get Name, StartName, State 2>nul
if %errorlevel% neq 0 (
echo [INFO] No custom-account services found, or query failed.
)
echo.
pause
Note the use of the double backslash \\ in the wmic command. WMI requires backslashes in search strings to be escaped.
How to Avoid Common Errors
Wrong Way: Using "sc query" to find accounts
The sc query command is excellent for status, but it does not show the account identity (LogOnAs) in its output.
Correct Way: Use wmic service to filter by StartName, or use sc qc inside a loop to read SERVICE_START_NAME for each service individually.
Problem: Backslash Escaping in WMIC
If you try to search for wmic service where "StartName='NT AUTHORITY\LocalService'" (with a single backslash), the command will fail because the backslash is treated as an escape character by WMI.
Correct Way: Always use \\ when specifying accounts that contain a backslash in a wmic where-clause.
Best Practices and Security Rules
1. Identify "Over-Privileged" Services
As a best practice, services should follow the "Principle of Least Privilege." If you find a simple text-processing service running as a Domain Admin, you should investigate and consider moving it to a LocalService account.
2. Administrator Privileges
While basic WMI queries are allowed for standard users, to see the full list of all third-party and protected system services, you must run your Batch script as an Administrator.
3. Handle Localized Account Names
If you are working on a non-English machine, the NT AUTHORITY prefix might be translated (e.g., AUTORITE NT in French).
To make your script language-independent, you can search for services that don't contain specific known keywords rather than searching for exact matches.
Conclusions
Determining the "Log On" account for your services is a foundational task for Windows system administration and security auditing. By leveraging the StartName attribute in wmic, you can quickly map services to their identities. This visibility is essential for ensuring that your software environment is following security best practices and that your service accounts are correctly configured.