This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 14.000000000000002%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
This isn't a question, it's more of an answer. But after coming across whatever happened in
https://social.technet.microsoft.com/Forums/Windows/en-US/51ba12ae-fe5e-4664-b7e9-c48c819979c5/getwmiobject-returns-nothing-in-a-powershell-script-running-as-scheduled-task?forum=Offtopic
(top google result) I wanted to just chuck this on the forum.
I was running a PowerShell script via Windows Task scheduler that was doing so;
$services = Get-WmiObject win32_service
The goal of this was to pop the array into a file after filtering out some services and making some changes to what's returned.
I created a domain service account domain\account and was running a scheduled powershell task invoking the relevant script, however
$services | Out-File -Filepath 'E:\Monitoring\Svc_Accounts\Services.txt'
was returning an entirely blank .txt file.
Running ISE as the service account and then running the script was producing results in the file, leading to a bit of confusion.
I resolved this issue by assigning a local server user account to the automated task instead of the domain account.
Turns out get-wmiobject doesn't place nice in an automated task being run by a domain user.
Hope this helps!
I resolved this issue by assigning a local server user account to the automated task instead of the domain account.
Turns out get-wmiobject doesn't place nice in an automated task being run by a domain user.
What error do you get? Does Get-Service work?
Try this and then check the transcript.
start-transcript -Path 'E:\Monitoring\Svc_Accounts\Transcript.txt'
$c = (Get-Service).count
"Get-Service found $c services."
$c = (Get-WmiObject win32_service).count
"Get-WmiObject found $c services."
$c = (Get-CimInstance win32_service).count
"Get-CimInstance found $c services."
Stop-Transcript
I'm specifically calling the users running the service, which get-service can't do.
If I run cmd as the service account and then run the script via that I get correctly returned numbers;
Transcript started, output file is E:\Monitoring\Svc_Accounts\Transcript.txt
Get-Service found 368 services.
Get-WmiObject found 368 services.
Get-CimInstance found 368 services.
If I run it as a scheduled task with exact same permissions (this domain account has local admin applied) it retuns;
TerminatingError(Get-Service): "Cannot open Service Control Manager on computer '.'
&
Get-WmiObject : Access denied
&
Get-CimInstance : Access denied
Ta for pointing me in the right direction.
Try checking "Run with highest privileges" on the task.
I would have expected a local account, and domain account, who are both members of the Administrators group to produce the same results. Unfortunately, I no longer have access to a domain to test with.
This script will display service control manager permissions.
$MySDDL = (sc.exe sdshow scmanager)
$NewAcl = New-Object System.Security.AccessControl.DirectorySecurity
$NewAcl.SetSecurityDescriptorSddlForm($MySDDL)
$NewAcl.Access # show who has access
When you logon with any account you are "Interactive" which has the required permissions. Without "Run with highest privileges" you don't get Administrator access and instead the account is an "Authenticated User" which only has ReadData. That is not sufficient to enumerate the services.
I don't know what's different with the local account.
FileSystemRights : ReadData, AppendData, WriteExtendedAttributes, ReadPermissions
AccessControlType : Allow
IdentityReference : NT AUTHORITY\INTERACTIVE
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : ReadData
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
FileSystemRights : ReadData, CreateFiles, AppendData, ReadExtendedAttributes, WriteExtendedAttributes,
ExecuteFile, Delete, ReadPermissions, ChangePermissions, TakeOwnership
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
If you don't want to run the task with "Run with highest privileges", then you can use my script in this post to grant access to another group that you can add the domain account to.