DscResources/MSFT_ServiceResource/MSFT_ServiceResource.psm1
# Suppressed as per PSSA Rule Severity guidelines for unit/integration tests: # https://github.com/PowerShell/DscResources/blob/master/PSSARuleSeverities.md [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] param () Import-Module -Name (Join-Path -Path (Split-Path -Path $PSScriptRoot -Parent) ` -ChildPath 'CommonResourceHelper.psm1') # Localized messages for Write-Verbose statements in this resource $script:localizedData = Get-LocalizedData -ResourceName 'MSFT_ServiceResource' <# .SYNOPSIS Get the current status of a service. .PARAMETER Name Indicates the service name to retrieve. Note that sometimes this is different from the display name. You can get a list of the services and their current state with the Get-Service cmdlet. #> function Get-TargetResource { [OutputType([System.Collections.Hashtable])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name ) if (Test-ServiceExists -Name $Name -ErrorAction SilentlyContinue) { Write-Verbose -Message 'Service exists - getting service' $service = Get-ServiceResource -Name $Name $serviceWmi = Get-Win32ServiceObject -Name $Name $builtInAccount = $null if ($serviceWmi.StartName -ieq 'LocalSystem') { $builtInAccount ='LocalSystem' } elseif ($serviceWmi.StartName -ieq 'NT Authority\NetworkService') { $builtInAccount = 'NetworkService' } elseif ($serviceWmi.StartName -ieq 'NT Authority\LocalService') { $builtInAccount = 'LocalService' } $dependencies = @() foreach ($serviceDependedOn in $service.ServicesDependedOn) { $dependencies += $serviceDependedOn.Name.ToString() } return @{ Name = $service.Name StartupType = ConvertTo-StartupTypeString -StartMode $serviceWmi.StartMode BuiltInAccount = $builtInAccount State = $service.Status.ToString() Path = $serviceWmi.PathName DisplayName = $service.DisplayName Description = $serviceWmi.Description DesktopInteract = $serviceWmi.DesktopInteract Dependencies = $dependencies Ensure = 'Present' } } else { Write-Verbose -Message 'Service with given name does not exist' return @{ Name = $service.Name Ensure = 'Absent' } } } # function Get-TargetResource <# .SYNOPSIS Creates, updates or removes a service. .PARAMETER Name Indicates the name of the service to create, update, or remove. Note that sometimes this is different from the display name. You can get a list of the services and their current state with the Get-Service cmdlet. .PARAMETER Ensure Specifies whether the service should exist or not. Optional. Defaults to Present. .PARAMETER Path The path to the service executable file. Optional. .PARAMETER StartupType Indicates the startup type for the service. Optional. .PARAMETER BuiltInAccount Indicates the sign-in account to use for the service. Optional. .PARAMETER Credential The credential to run the service under. Optional. .PARAMETER DesktopInteract Indicates whether the service can create or communicate with a window on the desktop or not. Must be false for services not running as LocalSystem. Optional. Defaults to false. .PARAMETER State Indicates the state the service should be in. Optional. Default is Running. .PARAMETER DisplayName The display name of the service. Optional. .PARAMETER Description The description of the service. Optional. .PARAMETER Dependencies An array of strings indicating the names of the dependencies of the service. Optional. .PARAMETER StartupTimeout The time to wait for the service to start in milliseconds. Optional. Default is 3000. .PARAMETER TerminateTimeout The time to wait for the service to stop in milliseconds. Optional. Default is 3000. #> function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name, [ValidateSet('Present', 'Absent')] [String] $Ensure = 'Present', [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Automatic', 'Manual', 'Disabled')] [String] $StartupType, [ValidateSet('LocalSystem', 'LocalService', 'NetworkService')] [String] $BuiltInAccount, [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential, [Boolean] $DesktopInteract, [ValidateSet('Running', 'Stopped', 'Ignore')] [String] $State = 'Running', [ValidateNotNullOrEmpty()] [String] $DisplayName, [ValidateNotNull()] [String] $Description, [ValidateNotNullOrEmpty()] [String[]] $Dependencies, [uint32] $StartupTimeout = 30000, [uint32] $TerminateTimeout = 30000 ) if ($PSBoundParameters.ContainsKey('StartupType')) { # Throw an exception if the requested StartupType conflicts with State Test-StartupType -Name $Name -StartupType $StartupType -State $State } $serviceExists = Test-ServiceExists -Name $Name -ErrorAction SilentlyContinue if (($Ensure -eq 'Absent') -and $serviceExists) { # The service exists but needs to be deleted Stop-ServiceResource -Name $Name -TerminateTimeout $TerminateTimeout Remove-Service -Name $Name -TerminateTimeout $TerminateTimeout return } if ($PSBoundParameters.ContainsKey('Path') -and $serviceExists) { if (-not (Compare-ServicePath -Name $Name -Path $Path)) { # Update the path - this is not yet supported, but could be Write-Verbose -Message ($script:localizedData.ServiceExecutablePathChangeNotSupported) } } elseif ($PSBoundParameters.ContainsKey('Path') -and -not $serviceExists) { $argumentsToNewService = @{} $argumentsToNewService.Add('Name', $Name) $argumentsToNewService.Add('BinaryPathName', $Path) try { New-Service @argumentsToNewService } catch { Write-Verbose -Message ($script:localizedData.TestStartupTypeMismatch ` -f $argumentsToNewService['Name'], $_.Exception.Message) throw $_ } } elseif (-not $PSBoundParameters.ContainsKey('Path') -and -not $serviceExists) { New-InvalidArgumentException ` -Message ($script:localizedData.ServiceDoesNotExistPathMissingError -f $Name) ` -ArgumentName 'Path' } # Update the parameters of the service $writeWritePropertiesArguments = @{ Name = $Name } $parameterNames = @('Path', 'StartupType', 'BuiltInAccount', 'Credential', 'DesktopInteract', 'DisplayName', 'Description', 'Dependencies') foreach ($parameter in $parameterNames) { if ($PSBoundParameters.ContainsKey($parameter)) { $writeWritePropertiesArguments[$parameter] = $PSBoundParameters[$parameter] } } $requiresRestart = Write-WriteProperty @writeWritePropertiesArguments if ($State -eq 'Stopped') { # Ensure service is stopped Stop-ServiceResource -Name $Name -TerminateTimeout $TerminateTimeout } elseif ($State -eq 'Running') { # if the service needs to be restarted then go stop it first if ($requiresRestart) { Write-Verbose -Message ($script:localizedData.ServiceNeedsRestartMessage -f $Name) Stop-ServiceResource -Name $Name -TerminateTimeout $TerminateTimeout } Start-ServiceResource -Name $Name -StartupTimeout $StartupTimeout } } # function Set-TargetResource <# .SYNOPSIS Tests if a service is in the desired state. .PARAMETER Name The name of the service to be tested. Note that sometimes this is different from the display name. You can get a list of the services and their current state with the Get-Service cmdlet. .PARAMETER Ensure Specifies whether the service should exist or not. Optional. Defaults to Present. If set to Absent, only the existence of the service will be checked. .PARAMETER Path Indicates what the path to the service executable file should be. Optional. .PARAMETER StartupType Indicates what the startup type for the service should be. Optional. .PARAMETER BuiltInAccount Indicates what the sign-in account to use for the service should be. Optional. .PARAMETER Credential Indicates the credential that the service should run under. Optional. .PARAMETER DesktopInteract Indicates if the service should be able to create or communicate with a window on the desktop. Must be false for services not running as LocalSystem. Optional. .PARAMETER State Indicates the state that the service should be in. Optional. Default is Running. .PARAMETER DisplayName The display name that the service should have. Optional. .PARAMETER Description The description that the service should have. Optional. .PARAMETER Dependencies An array of strings indicating the names of the dependencies that the service should have. Optional. .PARAMETER StartupTimeout Not used in Test-TargetResource. .PARAMETER TerminateTimeout Not used in Test-TargetResource. #> function Test-TargetResource { [OutputType([Boolean])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name, [ValidateSet('Present', 'Absent')] [String] $Ensure = 'Present', [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Automatic', 'Manual', 'Disabled')] [String] $StartupType, [ValidateSet('LocalSystem', 'LocalService', 'NetworkService')] [String] $BuiltInAccount, [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential, [Boolean] $DesktopInteract, [ValidateSet('Running', 'Stopped', 'Ignore')] [String] $State = 'Running', [ValidateNotNullOrEmpty()] [String] $DisplayName, [ValidateNotNull()] [String] $Description, [ValidateNotNullOrEmpty()] [String[]] $Dependencies, [uint32] $StartupTimeout = 30000, [uint32] $TerminateTimeout = 30000 ) if ($PSBoundParameters.ContainsKey('StartupType')) { # Throw an exception if the StartupTypeconflicts with the state Test-StartupType -Name $Name -StartupType $StartupType -State $State } $serviceExists = Test-ServiceExists -Name $Name -ErrorAction SilentlyContinue if ($Ensure -eq 'Absent') { Write-Verbose -Message $script:localizedData.NotCheckingOtherValuesEnsureAbsent return -not $serviceExists } if (-not $serviceExists) { Write-Verbose -Message $script:localizedData.ServiceDoesNotExist return $false } $service = Get-ServiceResource -Name $Name $serviceWmi = Get-Win32ServiceObject -Name $Name # Check the binary path if ($PSBoundParameters.ContainsKey('Path') -and ` (-not (Compare-ServicePath -Name $Name -Path $Path))) { Write-Verbose -Message ($script:localizedData.TestBinaryPathMismatch ` -f $serviceWmi.Name, $serviceWmi.PathName, $Path) return $false } # Check the optional parameters if ($PSBoundParameters.ContainsKey('DisplayName') -and ` ($DisplayName -ne $serviceWmi.DisplayName)) { Write-Verbose -Message ($script:localizedData.ParameterMismatch ` -f 'DisplayName', $serviceWmi.DisplayName, $DisplayName) return $false } if ($PSBoundParameters.ContainsKey('Description') -and ` ($Description -ne $serviceWmi.Description)) { Write-Verbose -Message ($script:localizedData.ParameterMismatch ` -f 'Description', $serviceWmi.Description, $Description) return $false } if ($PSBoundParameters.ContainsKey('Dependencies')) { $mismatchedDependencies = @(Compare-Object ` -ReferenceObject $service.ServicesDependedOn ` -DifferenceObject $Dependencies ` ) if ($mismatchedDependencies.Count -gt 0) { Write-Verbose -Message ($script:localizedData.ParameterMismatch ` -f 'Dependencies', ($service.ServicesDependedOn -join ','), ($Dependencies -join ',')) return $false } } if ($PSBoundParameters.ContainsKey('StartupType') -or ` $PSBoundParameters.ContainsKey('BuiltInAccount') -or ` $PSBoundParameters.ContainsKey('Credential') -or ` $PSBoundParameters.ContainsKey('DesktopInteract')) { $getUserNameAndPasswordArgs = @{} if ($PSBoundParameters.ContainsKey('BuiltInAccount')) { $null = $getUserNameAndPasswordArgs.Add('BuiltInAccount', $BuiltInAccount) } if ($PSBoundParameters.ContainsKey('Credential')) { $null = $getUserNameAndPasswordArgs.Add('Credential', $Credential) } $userName, $password = Get-UserNameAndPassword @getUserNameAndPasswordArgs if ($null -ne $userName -and ` -not (Test-UserName -ServiceWmi $serviceWmi -Username $userName)) { Write-Verbose -Message ($script:localizedData.TestUserNameMismatch ` -f $serviceWmi.Name, $serviceWmi.StartName, $userName) return $false } if ($PSBoundParameters.ContainsKey('DesktopInteract') -and ` ($serviceWmi.DesktopInteract -ne $DesktopInteract)) { Write-Verbose -Message ($script:localizedData.TestDesktopInteractMismatch ` -f $serviceWmi.Name, $serviceWmi.DesktopInteract, $DesktopInteract) return $false } if ($PSBoundParameters.ContainsKey('StartupType') -and ` $serviceWmi.StartMode -ine (ConvertTo-StartModeString -StartupType $StartupType)) { Write-Verbose -Message ($script:localizedData.TestStartupTypeMismatch ` -f $serviceWmi.Name, $serviceWmi.StartMode, $StartupType) return $false } } if (($State -ne $service.Status) -and ($State -ne 'Ignore')) { Write-Verbose -Message ($script:localizedData.TestStateMismatch ` -f $serviceWmi.Name, $service.Status, $State) return $false } return $true } # function Test-TargetResource <# .SYNOPSIS Tests if the given StartupType is valid with the State parameter of the service with the given Name. .PARAMETER Name The name of the service for which to check the StartupType and State (For error message only) .PARAMETER StartupType The StartupType to test. .PARAMETER State The State to test against. Default state is 'Running' #> function Test-StartupType { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name, [Parameter(Mandatory = $true)] [ValidateSet('Automatic', 'Manual', 'Disabled')] [String] $StartupType, [ValidateSet('Running', 'Stopped', 'Ignore')] [String] $State = 'Running' ) if ($State -eq 'Stopped') { if ($StartupType -eq 'Automatic') { # State = Stopped conflicts with Automatic or Delayed New-InvalidArgumentException ` -Message ($script:localizedData.CannotStopServiceSetToStartAutomatically -f $Name) ` -ArgumentName 'State' } } elseif ($State -eq 'Running') { if ($StartupType -eq 'Disabled') { # State = Running conflicts with Disabled New-InvalidArgumentException ` -Message ($script:localizedData.CannotStartAndDisable -f $Name) ` -ArgumentName 'State' } } } # function Test-StartupType <# .SYNOPSIS Converts the StartupType String to the correct StartMode String returned in the Win32 service object. .PARAMETER StartupType The StartupType to convert. #> function ConvertTo-StartModeString { [OutputType([String])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateSet('Automatic', 'Manual', 'Disabled')] [String] $StartupType ) if ($StartupType -eq 'Automatic') { return 'Auto' } return $StartupType } # function ConvertTo-StartModeString <# .SYNOPSIS Converts the StartMode string returned in a Win32_Service object to the format expected by this resource. .PARAMETER StartMode The StartMode string to convert. #> function ConvertTo-StartupTypeString { [OutputType([String])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateSet('Auto', 'Manual', 'Disabled')] $StartMode ) if ($StartMode -eq 'Auto') { return 'Automatic' } return $StartMode } # function ConvertTo-StartupTypeString <# .SYNOPSIS Retrieves the Win32_Service object for the service with the given name. .PARAMETER Name The name of the service for which to get the Win32_Service object #> function Get-Win32ServiceObject { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] $Name ) return Get-CimInstance -ClassName Win32_Service -Filter "Name='$Name'" } # function Get-Win32ServiceObject <# .SYNOPSIS Sets the StartupType property of the given service to the given value. .PARAMETER Win32ServiceObject The Win32_Service object to set the StartupType to. .PARAMETER StartupType The StartupType to set #> function Set-ServiceStartMode { [CmdletBinding(SupportsShouldProcess = $true)] param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] $Win32ServiceObject, [Parameter(Mandatory = $true)] [ValidateSet('Automatic', 'Manual', 'Disabled')] [String] $StartupType ) if ((ConvertTo-StartupTypeString -StartMode $Win32ServiceObject.StartMode) -ine $StartupType ` -and $PSCmdlet.ShouldProcess($Win32ServiceObject.Name, $script:localizedData.SetStartupTypeWhatIf)) { $changeServiceArguments = @{ StartMode = $StartupType } $changeResult = Invoke-CimMethod ` -InputObject $Win32ServiceObject ` -MethodName 'Change' ` -Arguments $changeServiceArguments if ($changeResult.ReturnValue -ne 0) { $innerMessage = ($script:localizedData.MethodFailed ` -f 'Change', 'Win32_Service', $changeResult.ReturnValue) $errorMessage = ($script:localizedData.ErrorChangingProperty ` -f 'StartupType', $innerMessage) New-InvalidArgumentException ` -Message $errorMessage ` -ArgumentName 'StartupType' } } } # function Set-ServiceStartMode <# .SYNOPSIS Writes all write properties if not already correctly set. Logs errors and respects WhatIf. .PARAMETER Name The name of the service to be updated. Note that sometimes this is different from the display name. You can get a list of the services and their current state with the Get-Service cmdlet. .PARAMETER Path The path to the service executable file. Optional. .PARAMETER StartupType Indicates the startup type for the service. Optional. .PARAMETER BuiltInAccount Indicates the sign-in account to use for the service. Optional. .PARAMETER Credential The credential to run the service under. Optional. .PARAMETER DesktopInteract The service can create or communicate with a window on the desktop. .PARAMETER DisplayName The display name of the service. Optional. .PARAMETER Description The description of the service. Optional. .PARAMETER Dependencies An array of strings indicating the names of the dependencies of the service. Optional. #> function Write-WriteProperty { [OutputType([System.Boolean])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] $Name, [System.String] [ValidateNotNullOrEmpty()] $Path, [System.String] [ValidateSet('Automatic', 'Manual', 'Disabled')] $StartupType, [System.String] [ValidateSet('LocalSystem', 'LocalService', 'NetworkService')] $BuiltInAccount, [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] [ValidateNotNull()] $Credential, [Boolean] $DesktopInteract, [ValidateNotNullOrEmpty()] [String] $DisplayName, [ValidateNotNull()] [String] $Description, [ValidateNotNullOrEmpty()] [String[]] $Dependencies ) $service = Get-Service -Name $Name $serviceWmi = Get-Win32ServiceObject -Name $Name $requiresRestart = $false # update binary path if ($PSBoundParameters.ContainsKey('Path')) { $writeBinaryArguments = @{ ServiceWmi = $serviceWmi Path = $Path } $requiresRestart = ($requiresRestart -or (Write-BinaryProperty @writeBinaryArguments)) } # update misc service properties $serviceprops = @{} if ($PSBoundParameters.ContainsKey('DisplayName') -and ` ($DisplayName -ne $serviceWmi.DisplayName)) { $serviceprops += @{ DisplayName = $DisplayName } } if ($PSBoundParameters.ContainsKey('Description') -and ` ($Description -ne $serviceWmi.Description)) { $serviceprops += @{ Description = $Description } } if ($serviceprops.count -gt 0) { $null = Set-Service -Name $Name @ServiceProps } # update the service dependencies if required if ($PSBoundParameters.ContainsKey('Dependencies')) { $mismatchedDependencies = @(Compare-Object ` -ReferenceObject $service.ServicesDependedOn ` -DifferenceObject $Dependencies) if ($mismatchedDependencies.Count -gt 0) { $changeServiceArguments = @{ ServiceDependencies = $Dependencies } $changeResult = Invoke-CimMethod ` -InputObject $serviceWmi ` -MethodName 'Change' ` -Arguments $changeServiceArguments if ($changeResult.ReturnValue -ne 0) { $innerMessage = ($script:localizedData.MethodFailed ` -f 'Change', 'Win32_Service', $changeResult.ReturnValue) $errorMessage = ($script:localizedData.ErrorChangingProperty ` -f 'Dependencies', $innerMessage) New-InvalidArgumentException ` -Message $errorMessage ` -ArgumentName 'Dependencies' } } } # update credentials if ($PSBoundParameters.ContainsKey('BuiltInAccount') -or ` $PSBoundParameters.ContainsKey('Credential') -or ` $PSBoundParameters.ContainsKey('DesktopInteract')) { $writeCredentialPropertiesArguments = @{ 'ServiceWmi' = $serviceWmi } if ($PSBoundParameters.ContainsKey('BuiltInAccount')) { $null = $writeCredentialPropertiesArguments.Add('BuiltInAccount', $BuiltInAccount) } if ($PSBoundParameters.ContainsKey('Credential')) { $null = $writeCredentialPropertiesArguments.Add('Credential', $Credential) } if ($PSBoundParameters.ContainsKey('DesktopInteract')) { $null = $writeCredentialPropertiesArguments.Add('DesktopInteract', $DesktopInteract) } Write-CredentialProperty @writeCredentialPropertiesArguments } # Update startup type if ($PSBoundParameters.ContainsKey('StartupType')) { Set-ServiceStartMode -Win32ServiceObject $serviceWmi -StartupType $StartupType } # Return restart status return $requiresRestart } # function Write-WriteProperty <# .SYNOPSIS Writes credential properties if not already correctly set. Logs errors and respects WhatIf. .PARAMETER ServiceWmi The WMI service of which to set the credentials. .PARAMETER BuiltInAccount Indicates the sign-in account to use for the service. Optional. .PARAMETER Credential The credential to update. Optional. .PARAMETER DesktopInteract Indicates whether the service can create or communicate with a window on the desktop. Must be false for services not running as LocalSystem. Optional. #> function Write-CredentialProperty { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] $ServiceWmi, [System.String] [ValidateSet('LocalSystem', 'LocalService', 'NetworkService')] $BuiltInAccount, [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential, [Boolean] $DesktopInteract ) if (-not $PSBoundParameters.ContainsKey('Credential') -and ` -not $PSBoundParameters.ContainsKey('BuiltInAccount') -and ` -not $PSBoundParameters.ContainsKey('DesktopInteract')) { # No change parameters actually passed - nothing to change return } # These are the arguments to chnage on the service $changeArgs = @{} # Get the Username and Password to change to (if applicable) $getUserNameAndPasswordArgs = @{} if ($PSBoundParameters.ContainsKey('BuiltInAccount')) { $null = $getUserNameAndPasswordArgs.Add('BuiltInAccount',$BuiltInAccount) } if ($PSBoundParameters.ContainsKey('Credential')) { $null = $getUserNameAndPasswordArgs.Add('Credential',$Credential) } if ($getUserNameAndPasswordArgs.Count -gt 1) { # Both Credentials and BuiltInAccount were set - throw New-InvalidArgumentException ` -Message ($script:localizedData.OnlyOneParameterCanBeSpecified ` -f 'Credential', 'BuiltInAccount') ` -ArgumentName 'BuiltInAccount' } $userName, $password = Get-UserNameAndPassword @getUserNameAndPasswordArgs # If the user account needs to be changed add it to the arguments if (($null -ne $userName) -and ` -not (Test-UserName -ServiceWmi $ServiceWmi -Username $userName)) { # A specific user account was passed so set log on as a service policy if ($PSBoundParameters.ContainsKey('Credential')) { Set-LogOnAsServicePolicy -Username $userName } $changeArgs += @{ StartName = $userName StartPassword = $password } } # The desktop interact flag was passed to set that value if ($PSBoundParameters.ContainsKey('DesktopInteract') -and ` ($DesktopInteract -ne $ServiceWmi.DesktopInteract)) { $changeArgs.DesktopInteract = $DesktopInteract } if ($changeArgs.Count -gt 0) { $ret = Invoke-CimMethod ` -InputObject $ServiceWmi ` -MethodName 'Change' ` -Arguments $changeArgs if ($ret.ReturnValue -ne 0) { $innerMessage = ($script:localizedData.MethodFailed ` -f 'Change', 'Win32_Service',$ret.ReturnValue) $errorMessage = ($script:localizedData.ErrorChangingProperty ` -f 'Credential', $innerMessage) New-InvalidArgumentException ` -Message $errorMessage ` -ArgumentName 'Credential' } } } # function Write-CredentialProperty <# .SYNOPSIS Writes binary path if not already correctly set. Logs errors. returns false if the path is already set and true if it was not set. .PARAMETER ServiceWmi The WMI service of which to set the path .PARAMETER Path The Path to set for the service. Optional. #> function Write-BinaryProperty { [OutputType([System.Boolean])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] $ServiceWmi, [System.String] [ValidateNotNullOrEmpty()] $Path ) if ($ServiceWmi.PathName -eq $Path) { return $false } $changeServiceArguments = @{ PathName = $Path } $changeResult = Invoke-CimMethod ` -InputObject $serviceWmi ` -MethodName 'Change' ` -Arguments $changeServiceArguments if ($changeResult.ReturnValue -ne 0) { $innerMessage = ($script:localizedData.MethodFailed ` -f 'Change', 'Win32_Service', $changeResult.ReturnValue) $errorMessage = ($script:localizedData.ErrorChangingProperty ` -f 'Binary Path', $innerMessage) New-InvalidArgumentException ` -Message $errorMessage ` -ArgumentName 'Path' } return $true } # function Write-BinaryProperty <# .SYNOPSIS Returns true if the service's StartName matches $UserName .PARAMETER ServiceWmi The WMI service of which to check the username. .PARAMETER UserName The username of the user to compare the one in the WMI object with. #> function Test-UserName { [OutputType([System.Boolean])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] $ServiceWmi, [String] $UserName ) return ((Resolve-UserName -UserName $ServiceWmi.StartName) -ieq $UserName) } # function Test-UserName <# .SYNOPSIS If BuiltInAccount is provided, this will return the resolved username from BuiltInAccount. If Credential is provided, this will return the resolved username and password from Credential. If nothing is provided, this will return null for both username and password. If both parameters are provided the username from BuiltInAccount is returned. .PARAMETER BuiltInAccount The built in account to extract the username from. Optional .PARAMETER Credential The Credential to extract the username and password from. Optional. .OUTPUTS A tuple containing: [String] Username, [String] Password. #> function Get-UserNameAndPassword { [CmdletBinding()] param ( [System.String] [ValidateSet('LocalSystem', 'LocalService', 'NetworkService')] $BuiltInAccount, [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()] $Credential ) if ($PSBoundParameters.ContainsKey('BuiltInAccount')) { return (Resolve-UserName -UserName $BuiltInAccount.ToString()), $null } if ($PSBoundParameters.ContainsKey('Credential')) { return (Resolve-UserName -UserName $Credential.UserName), ` $Credential.GetNetworkCredential().Password } return $null, $null } # function Get-UserNameAndPassword <# .SYNOPSIS Deletes a service .PARAMETER Name The name of the service to delete. .PARAMETER TerminateTimeout The number of milliseconds to wait for the service to be removed. Optional. Default value is 3000. #> function Remove-Service { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] $Name, [ValidateNotNullOrEmpty()] [Int] $TerminateTimeout = 30000 ) # Delete the service & 'sc.exe' 'delete' "$Name" # Wait for the service to be deleted $serviceDeletedSuccessfully = $false $start = [DateTime]::Now while (-not $serviceDeletedSuccessfully -and ` ([DateTime]::Now - $start).TotalMilliseconds -lt $TerminateTimeout) { if (-not (Test-ServiceExists -Name $Name)) { $serviceDeletedSuccessfully = $true break } # The service was not deleted so wait a second and try again (unless TerminateTimeout is hit) Start-Sleep -Seconds 1 Write-Verbose -Message ($script:localizedData.TryDeleteAgain) } if ($serviceDeletedSuccessfully) { Write-Verbose -Message ($script:localizedData.ServiceDeletedSuccessfully -f $Name) } else { # Service was not deleted New-InvalidOperationException ` -Message ($script:localizedData.ErrorDeletingService -f $Name) } } # function Remove-Service <# .SYNOPSIS Starts a service if it is not already running. .PARAMETER Name The name of the service to start. .PARAMETER StartupTimeout The amount of time to wait for the service to start. #> function Start-ServiceResource { [CmdletBinding(SupportsShouldProcess = $true)] param ( [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [String] $Name, [Parameter(Mandatory = $true)] [uint32] $StartupTimeout ) $service = Get-ServiceResource -Name $Name if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Verbose -Message ($script:localizedData.ServiceAlreadyStarted -f $service.Name) return } if ($PSCmdlet.ShouldProcess($Name, $script:localizedData.StartServiceWhatIf)) { try { $service.Start() $waitTimeSpan = New-Object ` -TypeName TimeSpan ` -ArgumentList ($StartupTimeout * 10000) $service.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Running, ` $waitTimeSpan) } catch { $servicePath = (Get-CimInstance -Class win32_service | Where-Object { $_.Name -eq $Name }).PathName $errorMessage = ($script:localizedData.ErrorStartingService ` -f $service.Name, $servicePath, $_.Exception.Message) New-InvalidOperationException -Message $errorMessage } Write-Verbose -Message ($script:localizedData.ServiceStarted -f $service.Name) } } # function Start-ServiceResource <# .SYNOPSIS Stops a service if it is not already stopped. .PARAMETER Name The name of the service to stop. .PARAMETER TerminateTimeout The amount of time to wait for the service to stop. #> function Stop-ServiceResource { [CmdletBinding(SupportsShouldProcess = $true)] param ( [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [String] $Name, [Parameter(Mandatory = $true)] [uint32] $TerminateTimeout ) $service = Get-ServiceResource -Name $Name if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Stopped) { Write-Verbose -Message ($script:localizedData.ServiceAlreadyStopped -f $service.Name) return } if ($PSCmdlet.ShouldProcess($Name, $script:localizedData.StopServiceWhatIf)) { try { $service.Stop() $waitTimeSpan = New-Object ` -TypeName TimeSpan ` -ArgumentList ($TerminateTimeout * 10000) $service.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped, ` $waitTimeSpan) } catch { Write-Verbose -Message ($script:localizedData.ErrorStoppingService ` -f $service.Name, $_.Exception.Message) throw $_ } Write-Verbose -Message ($script:localizedData.ServiceStopped -f $service.Name) } } # function Stop-ServiceResource <# .SYNOPSIS Converts the username returned from a Win32_service object to the format expected by this resource. .PARAMETER UserName The Username to convert. #> function Resolve-UserName { param ( [Parameter(Mandatory = $true)] [ValidateNotNullorEmpty()] [String] $UserName ) switch ($Username) { 'NetworkService' { return 'NT Authority\NetworkService' } 'LocalService' { return 'NT Authority\LocalService' } 'LocalSystem' { return '.\LocalSystem' } default { if ($UserName.IndexOf('\') -eq -1) { return '.\' + $UserName } } } return $UserName } # function Resolve-UserName <# .SYNOPSIS Tests if a service with the given name exists .PARAMETER Name The name of the service to test for. #> function Test-ServiceExists { [OutputType([Boolean])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name ) $service = Get-Service -Name $Name -ErrorAction SilentlyContinue return ($null -ne $service) } # function Test-ServiceExists <# .SYNOPSIS Compares a path to the existing service path. Returns true when the given path is the same as the existing service path, false otherwise. .PARAMETER Name The name of the existing service for which to check the path. .PARAMETER Path The path to check against. #> function Compare-ServicePath { [OutputType([Boolean])] [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Path ) $existingServicePath = (Get-CimInstance -Class win32_service | Where-Object { $_.Name -eq $Name }).PathName $stringCompareResult = [String]::Compare($Path, $existingServicePath, ` [System.Globalization.CultureInfo]::CurrentUICulture) return ($stringCompareResult -eq 0) } # function Compare-ServicePath <# .SYNOPSIS Retrieves the service with the given name. .PARAMETER Name The name of the service to retrieve #> function Get-ServiceResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $Name ) $service = Get-Service -Name $Name -ErrorAction Ignore if ($null -eq $service) { New-InvalidArgumentException ` -Message ($script:localizedData.ServiceNotFound -f $Name) ` -ArgumentName 'Name' } return $service } # function Get-ServiceResource <# .SYNOPSIS Grants log on as service right to the given user .PARAMETER UserName The name of the user to grant log on as a service right to #> function Set-LogOnAsServicePolicy { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [String] $UserName ) $logOnAsServiceText = @" namespace LogOnAsServiceHelper { using Microsoft.Win32.SafeHandles; using System; using System.Runtime.ConstrainedExecution; using System.Runtime.InteropServices; using System.Security; public class NativeMethods { #region constants // from ntlsa.h private const int POLICY_LOOKUP_NAMES = 0x00000800; private const int POLICY_CREATE_ACCOUNT = 0x00000010; private const uint ACCOUNT_ADJUST_SYSTEM_ACCESS = 0x00000008; private const uint ACCOUNT_VIEW = 0x00000001; private const uint SECURITY_ACCESS_SERVICE_LOGON = 0x00000010; // from LsaUtils.h private const uint STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034; // from lmcons.h private const int UNLEN = 256; private const int DNLEN = 15; // Extra characteres for "\","@" etc. private const int EXTRA_LENGTH = 3; #endregion constants #region interop structures /// <summary> /// Used to open a policy, but not containing anything meaqningful /// </summary> [StructLayout(LayoutKind.Sequential)] private struct LSA_OBJECT_ATTRIBUTES { public UInt32 Length; public IntPtr RootDirectory; public IntPtr ObjectName; public UInt32 Attributes; public IntPtr SecurityDescriptor; public IntPtr SecurityQualityOfService; public void Initialize() { this.Length = 0; this.RootDirectory = IntPtr.Zero; this.ObjectName = IntPtr.Zero; this.Attributes = 0; this.SecurityDescriptor = IntPtr.Zero; this.SecurityQualityOfService = IntPtr.Zero; } } /// <summary> /// LSA string /// </summary> [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] private struct LSA_UNICODE_STRING { internal ushort Length; internal ushort MaximumLength; [MarshalAs(UnmanagedType.LPWStr)] internal string Buffer; internal void Set(string src) { this.Buffer = src; this.Length = (ushort)(src.Length * sizeof(char)); this.MaximumLength = (ushort)(this.Length + sizeof(char)); } } /// <summary> /// Structure used as the last parameter for LSALookupNames /// </summary> [StructLayout(LayoutKind.Sequential)] private struct LSA_TRANSLATED_SID2 { public uint Use; public IntPtr SID; public int DomainIndex; public uint Flags; }; #endregion interop structures #region safe handles /// <summary> /// Handle for LSA objects including Policy and Account /// </summary> private class LsaSafeHandle : SafeHandleZeroOrMinusOneIsInvalid { [DllImport("advapi32.dll")] private static extern uint LsaClose(IntPtr ObjectHandle); /// <summary> /// Prevents a default instance of the LsaPolicySafeHAndle class from being created. /// </summary> private LsaSafeHandle(): base(true) { } /// <summary> /// Calls NativeMethods.CloseHandle(handle) /// </summary> /// <returns>the return of NativeMethods.CloseHandle(handle)</returns> [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] protected override bool ReleaseHandle() { long returnValue = LsaSafeHandle.LsaClose(this.handle); return returnValue != 0; } } /// <summary> /// Handle for IntPtrs returned from Lsa calls that have to be freed with /// LsaFreeMemory /// </summary> private class SafeLsaMemoryHandle : SafeHandleZeroOrMinusOneIsInvalid { [DllImport("advapi32")] internal static extern int LsaFreeMemory(IntPtr Buffer); private SafeLsaMemoryHandle() : base(true) { } private SafeLsaMemoryHandle(IntPtr handle) : base(true) { SetHandle(handle); } private static SafeLsaMemoryHandle InvalidHandle { get { return new SafeLsaMemoryHandle(IntPtr.Zero); } } override protected bool ReleaseHandle() { return SafeLsaMemoryHandle.LsaFreeMemory(handle) == 0; } internal IntPtr Memory { get { return this.handle; } } } #endregion safe handles #region interop function declarations /// <summary> /// Opens LSA Policy /// </summary> [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] private static extern uint LsaOpenPolicy( IntPtr SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, uint DesiredAccess, out LsaSafeHandle PolicyHandle ); /// <summary> /// Convert the name into a SID which is used in remaining calls /// </summary> [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] private static extern uint LsaLookupNames2( LsaSafeHandle PolicyHandle, uint Flags, uint Count, LSA_UNICODE_STRING[] Names, out SafeLsaMemoryHandle ReferencedDomains, out SafeLsaMemoryHandle Sids ); /// <summary> /// Opens the LSA account corresponding to the user's SID /// </summary> [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] private static extern uint LsaOpenAccount( LsaSafeHandle PolicyHandle, IntPtr Sid, uint Access, out LsaSafeHandle AccountHandle); /// <summary> /// Creates an LSA account corresponding to the user's SID /// </summary> [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] private static extern uint LsaCreateAccount( LsaSafeHandle PolicyHandle, IntPtr Sid, uint Access, out LsaSafeHandle AccountHandle); /// <summary> /// Gets the LSA Account access /// </summary> [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] private static extern uint LsaGetSystemAccessAccount( LsaSafeHandle AccountHandle, out uint SystemAccess); /// <summary> /// Sets the LSA Account access /// </summary> [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)] private static extern uint LsaSetSystemAccessAccount( LsaSafeHandle AccountHandle, uint SystemAccess); #endregion interop function declarations /// <summary> /// Sets the Log On As A Service Policy for <paramref name="userName"/>, if not already set. /// </summary> /// <param name="userName">the user name we want to allow logging on as a service</param> /// <exception cref="ArgumentNullException">If the <paramref name="userName"/> is null or empty.</exception> /// <exception cref="InvalidOperationException">In the following cases: /// Failure opening the LSA Policy. /// The <paramref name="userName"/> is too large. /// Failure looking up the user name. /// Failure opening LSA account (other than account not found). /// Failure creating LSA account. /// Failure getting LSA account policy access. /// Failure setting LSA account policy access. /// </exception> public static void SetLogOnAsServicePolicy(string userName) { if (String.IsNullOrEmpty(userName)) { throw new ArgumentNullException("userName"); } LSA_OBJECT_ATTRIBUTES objectAttributes = new LSA_OBJECT_ATTRIBUTES(); objectAttributes.Initialize(); // All handles are delcared in advance so they can be closed on finally LsaSafeHandle policyHandle = null; SafeLsaMemoryHandle referencedDomains = null; SafeLsaMemoryHandle sids = null; LsaSafeHandle accountHandle = null; try { uint status = LsaOpenPolicy( IntPtr.Zero, ref objectAttributes, POLICY_LOOKUP_NAMES | POLICY_CREATE_ACCOUNT, out policyHandle); if (status != 0) { throw new InvalidOperationException("CannotOpenPolicyErrorMessage"); } // Unicode strings have a maximum length of 32KB. We don't want to create // LSA strings with more than that. User lengths are much smaller so this check // ensures userName's length is useful if (userName.Length > UNLEN + DNLEN + EXTRA_LENGTH) { throw new InvalidOperationException("UserNameTooLongErrorMessage"); } LSA_UNICODE_STRING lsaUserName = new LSA_UNICODE_STRING(); lsaUserName.Set(userName); LSA_UNICODE_STRING[] names = new LSA_UNICODE_STRING[1]; names[0].Set(userName); status = LsaLookupNames2( policyHandle, 0, 1, new LSA_UNICODE_STRING[] { lsaUserName }, out referencedDomains, out sids); if (status != 0) { throw new InvalidOperationException("CannotLookupNamesErrorMessage"); } LSA_TRANSLATED_SID2 sid = (LSA_TRANSLATED_SID2)Marshal.PtrToStructure(sids.Memory, typeof(LSA_TRANSLATED_SID2)); status = LsaOpenAccount(policyHandle, sid.SID, ACCOUNT_VIEW | ACCOUNT_ADJUST_SYSTEM_ACCESS, out accountHandle); uint currentAccess = 0; if (status == 0) { status = LsaGetSystemAccessAccount(accountHandle, out currentAccess); if (status != 0) { throw new InvalidOperationException("CannotGetAccountAccessErrorMessage"); } } else if (status == STATUS_OBJECT_NAME_NOT_FOUND) { status = LsaCreateAccount( policyHandle, sid.SID, ACCOUNT_ADJUST_SYSTEM_ACCESS, out accountHandle); if (status != 0) { throw new InvalidOperationException("CannotCreateAccountAccessErrorMessage"); } } else { throw new InvalidOperationException("CannotOpenAccountErrorMessage"); } if ((currentAccess & SECURITY_ACCESS_SERVICE_LOGON) == 0) { status = LsaSetSystemAccessAccount( accountHandle, currentAccess | SECURITY_ACCESS_SERVICE_LOGON); if (status != 0) { throw new InvalidOperationException("CannotSetAccountAccessErrorMessage"); } } } finally { if (policyHandle != null) { policyHandle.Close(); } if (referencedDomains != null) { referencedDomains.Close(); } if (sids != null) { sids.Close(); } if (accountHandle != null) { accountHandle.Close(); } } } } } "@ try { $null = [LogOnAsServiceHelper.NativeMethods] } catch { $logOnAsServiceText = $logOnAsServiceText.Replace('CannotOpenPolicyErrorMessage', ` $script:localizedData.CannotOpenPolicyErrorMessage) $logOnAsServiceText = $logOnAsServiceText.Replace('UserNameTooLongErrorMessage', ` $script:localizedData.UserNameTooLongErrorMessage) $logOnAsServiceText = $logOnAsServiceText.Replace('CannotLookupNamesErrorMessage', ` $script:localizedData.CannotLookupNamesErrorMessage) $logOnAsServiceText = $logOnAsServiceText.Replace('CannotOpenAccountErrorMessage', ` $script:localizedData.CannotOpenAccountErrorMessage) $logOnAsServiceText = $logOnAsServiceText.Replace('CannotCreateAccountAccessErrorMessage', ` $script:localizedData.CannotCreateAccountAccessErrorMessage) $logOnAsServiceText = $logOnAsServiceText.Replace('CannotGetAccountAccessErrorMessage', ` $script:localizedData.CannotGetAccountAccessErrorMessage) $logOnAsServiceText = $logOnAsServiceText.Replace('CannotSetAccountAccessErrorMessage', ` $script:localizedData.CannotSetAccountAccessErrorMessage) $null = Add-Type $logOnAsServiceText -PassThru -Debug:$false } if ($UserName.StartsWith('.\')) { $UserName = $UserName.Substring(2) } try { [LogOnAsServiceHelper.NativeMethods]::SetLogOnAsServicePolicy($UserName) } catch { $message = ($script:localizedData.ErrorSettingLogOnAsServiceRightsForUser ` -f $UserName, $_.Exception.Message) New-InvalidOperationException -Message $message } } # function Set-LogOnAsServicePolicy Export-ModuleMember -Function *-TargetResource |