Find out who disabled a Windows service
Solution 1
When the start type of a service is changed, an event is recorded in the system event log , with id 7040 and source Service Control Manager.
The user that performed the operation is displayed in the event (obfuscated in the screen shot below).
So you have to find those events in your event logs; hopefully you will directly have the user name.
If it is a generic user name, such as "administrator", then it's time to stop using generic account, and you'll have to correlate the date / time of the event with other info you could get from other log (like: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational which can give you the source IP of a remote desktop session)
Solution 2
In Event Viewer, look in the "Windows Logs"->"System" event log, and filter for Source "Service Control Manager" and Event ID 7040. Find the event saying "The start type of the service was changed from original start type to disabled" for the service you're interested in. When you find that, the "User" listed in the details below is the user that has made that change.
Related videos on Youtube
13 : 26
07 : 43
10 : 02
02 : 57
02 : 00
Paul Brindley
I'm currently working as a Support Engineer in Scotland. My main experience has been in Java, VB6 and C#, with a little bit of SQL / Oracle thrown in the mix.
Updated on September 18, 2022Comments
-
Paul Brindley almost 2 years
I was doing some fault finding, and I've discovered two services which should be set to
automatichave been set todisabled.What is the best way to find out who did this? It could be someone from my company, or it could be someone client-side. It would be enough to determine the user account.
I've had a look in the Windows Event Viewer, but, to be honest, I'm not sure what I'm looking for, and there is a lot to work through. Nothing has jumped out at me, but I suspect it's just that I don't know what I'm looking for.
-
Paul Brindley about 7 yearsThanks to those that gave me helpful answers. Found out who it was. Also turned out that they turned them off for a good reason and after the issue I am investigating took place. Back to program log files for more leads!
-
jpmc26 about 7 yearsFor future readers (since this obviously isn't you, Paul): Just realize that assigning blame isn't typically a useful thing to do. It's fine to use this info to find out who you can ask questions and find out what's going on and maybe tell them why it's a bad idea, but avoid using this as an excuse to threaten or mistreat someone. -
Paul Brindley about 7 yearsIn this case I wanted to know because we manage the service, but the server belongs to the client and so it would have been useful to know if we messed up, or if the client's server team had changed something. In addition, I wanted to make sure that it was okay to turn it back on, after all I had assumed it was a mistake, but there might have been a good reason why that service should stop processing files. In the end the answer was yes, they were migrating a database so the service was turned off while the database was unavailable. But they forgot to turn it back on when they were done.
-
-
alvinjorrel over 4 years...of course there's always that stupid bug Windows sets it to 'disabled' until you reboot the server. The event log shows my username is changing it to disabled. I can go into services, double-click the service, set it to automatic, hit ok, then refresh the services window a few times and it's magically 'disabled' again. Event viewer says I did it. I've killed just about every process running as me and ensured no scheduled tasks are doing it. It think it's something related to Windows Installer.
-
Dave M over 2 yearsIf you have a new question, please ask it by clicking the Ask Question button. Include a link to this question if it helps provide context. - From Review
