Windows Services being stopped or disabled is not very common, but sometimes it can happen. The biggest problem here is that there's no way to find out which process has stopped or updated Windows Services on Windows 10.
That's when you need a program that can test those services. It is useful with custom services that are prone to these problems.
Windows Service Auditor
Windows Service Auditor is a free program that allows you to monitor those services. Windows Service Auditor will let you know which process has stopped, started, deleted or updated Windows Services. It will keep a record of the user, time and progress of making any changes.
Windows Service Auditor is a free, portable application that allows you to perform detailed tests. It can also look at Windows Event Logs and provide more insight.
Note : Windows provides some tools, but they are not very helpful to the general user. Tools like Event Viewer and AuditPol provide detailed views, but are not useful. You need to be an expert to understand and debug those issues.
1. Initial setup
Windows Service Auditor is a portable application, so make sure to download it and place it where it is not deleted. Also, make sure to install the program to launch when the computer boots. Launch the application and you will see 2 sections List of Windows Services and Event logs . Event logs show any event logs connected to the selected service.
Download Windows Service Auditor
//www.coretechnologies.com/products/WindowsServiceAuditor/
2. Enable advanced security checking
Windows does not include some advanced features in the default settings. You will need to enable advanced security checking to capture the details. The advantage of using Windows Service Auditor is that you can activate it immediately.
Click the Application menu and then select Enable Local Audit Policy . This option is automatically enabled by default, but if you want to turn it off, this is the menu you need to access.
3. Monitor a service
The final step is to select a service, then click the eye icon on the top menu to start tracking. Once enabled, notice the eye icon next to the service being monitored.
Select it and you will have details in the Events section . It will include all changes made by a program or user along with the timestamp. There is no way to enable this feature for many services and it will not work for all services, but only for those that are not under the control of the system.
You can also enable auditing for any service using the menu option available in the Service.
Is it possible to find out in Windows what the last restart time of a windows service is?
1
I was doing some fault finding, and I've discovered two services which should be set to automatic have been set to disabled.
What is the best way to find out who did this? It could be someone from my company, or it could be someone client-side. It would be enough to determine the user account.
I've had a look in the Windows Event Viewer, but, to be honest, I'm not sure what I'm looking for, and there is a lot to work through. Nothing has jumped out at me, but I suspect it's just that I don't know what I'm looking for.
How can the process/service that started or stopped a service be determined?
For example, I am finding that recently, the Computer Browser, Server, and Workstation services [as well as the function-discovery services] keep starting. I stop them, but then a few minutes later, they are running again. I have already tried disabling things like network shares, NetBIOS, Home Group, and every related thing that I can think of, but this [new] behavior is frustrating, and all the more so because I don’t know what is starting them. If I could figure out what process/service is starting them, then I would at least have a hint of where to look.
No, the Windows Event Log is not helpful because it says nothing about who/what started the service; the most information it gives is that Source field usually says Service Control Manager, but that says nothing about what asked the SC to start/stop the service.
Is there a way to have the Service Controller log state changes or something?
A windows service, designed to run “headless” and unattended in the background, cannot easily employ conventional popup windows to report its activities as a user may not even be logged on. Instead, a service is encouraged to send important communication to the Windows Event Log – an administrative utility that collects and stores messages and events. Once recorded, these messages can be very helpful in troubleshooting problems, for example when a service stops unexpectedly or when it fails to start at all.
Viewing Events from Windows Services
Use Microsoft’s Event Viewer to see messages written to the Event Log. Start the application by clicking on the Start button and typing in Event Viewer, or from the Control Panel [search for it by name]. The somewhat cluttered window should come up after a few seconds:
The left hand side shows a tree grouping the various logs captured on your machine. The events from Windows Services [and other applications running on your PC] are filed under Windows Logs > Application. Navigate to that section to load the events in the center of the window, with the entire list in the top and details of the highlighted event underneath:
Messages from your windows service will have the display name of the service in the Source column.
Important Components of an Event
The Event Viewer shows over 10 pieces of information associated with each event, including:
- Level – How important is this event?
Each event is classified into one of three categories:
Information: An informative yet unimportant event. You will probably see a lot of these, and they can be safely ignored unless you are digging into a specific issue from an application or service.
Warning: A moderately important event. These don’t necessarily signify a failure, and your software will probably limp along, but they should be reviewed regularly to see if anything mentioned can be resolved.
Error: Indicates a critical problem or failure that may deserve your immediate attention!
- Date and Time – When did this event occur?
- Source – Which application reported this event?
As mentioned before, an event written by a Windows Service will contain the service’s display name as the Source.
- Description – Which happened?
The full description shown prominently in the lower pane will [hopefully] provide the relevant details of the event.
For example, this information event is from the Interactive Services detection service [“UI0Detect”] reporting that Notepad is showing itself in Session 0:
Viewing Events about Windows Services
While the Application log keeps track of events from a running service, the Windows Logs > System area records when services are started, stopped, crash or fail to start. Look for events with the Source set to Service Control Manager [SCM]. For example, here is the SCM telling us that the Windows Print Spooler service has crashed:
Viewing Events from AlwaysUp and Service Protector
Both AlwaysUp and Service Protector write messages to the Application section of the event logs [Windows Logs > Application].
For AlwaysUp, events from your application named “My Application” will be logged with Source set to My Application [managed by AlwaysUpService]. The Event Log Messages Page lists and explains the events reported.
For Service Protector, events related to your service named “MyService” will have a Source of ServiceProtector: MyService.
And for both applications, events related to the starting and stopping of the underlying services themselves appear in the Windows Logs > System section. Look there if you have a problem with AlwaysUp itself failing to start at boot.
Tagged alwaysup, event-viewer, service-protector, windows-services