Log username of who restarts a service

You're correct. Event Viewer > System tab the Service Control Manager no longer logs who starts and stops a Service. You'll only see a message like The Workstation service entered the running state. but nothing about what user/process/service caused it to start.

To audit who is starting and stopping services in Windows Server 2008 and later, you'll need to do some manual work as detailed here:

• IT Pro Today, Randy Franklin Smith, 2002-04-16, Access Denied: Auditing Users Who Might Be Starting and Stopping Services (Archived here.)

This is the method I have used to audit who is starting and stopping services on critical servers. Below is the steps to take to Audit your desired Service on a Windows Server. Please refer to the link for additional information.

To reach the security templates, log on to the server and open the Microsoft Management Console (MMC) Security Templates snap-in. To create a new template, right-click on the security templates path. Select New Template, click System Services, then double-click the appropriate service (i.e., Telnet). Select the Define this policy setting in the template check box, then click Edit Security to open the Security for Telnet dialog box that Figure 1 shows. This dialog box contains the service's ACL, which you can use to fine-tune who has start and stop authority. (For more information about permission to start and stop services, see "Troubleshooting problems with the Start, stop and pause permission," March 2002, InstantDoc ID 23964.)

Click Advanced, then select the Auditing tab in the Access Control Settings for Telnet dialog box, which Figure 2 shows. As you can see, no auditing is currently enabled on the Telnet service because auditing isn't enabled by default. Click Add, then add an entry to track successful start and stop events that members of Everyone initiate, as Figure 3 shows. Close all the dialog boxes, then save the template. Import the template into the MMC Security Configuration and Analysis snap-in, then apply the template. Now, you can check the Security log for event ID 560 (success audit: object open), where Object Type is SERVICE OBJECT, the Object Name is the short name of the service you're monitoring (in the case of the Telnet Service, TlntSvr), and the logged accesses include Start the service and Stop the service. In the example that Figure 4 shows, you can see that Joe stopped the Telnet service.

Related videos on Youtube

02 : 43

Fix Other User Login Screen

R3DLIN3S

393

34 : 43

LPIC 1 - 008 - 101.2 - Part 2/2 - Boot Process; logs (dmesg, logs, journalctl) & init (systemd&SysV)

Jadi

369

24 : 13

Kubernetes Services explained | ClusterIP vs NodePort vs LoadBalancer vs Headless Service

TechWorld with Nana

253

14 : 12

MCITP 70-640: Service Accounts

itfreetraining

118

02 : 34

Restarting the Management agents on an ESXi or ESX host

VMwareKB

44

07 : 35

How to fix User Profile Service Failed

Chichinjo

29

01 : 38

Log user detail who restarted a service

Roel Van de Paar

1

02 : 09

DevOps & SysAdmins: Log username of who restarts a service (2 Solutions!!)

Roel Van de Paar

0

Author by

Menga

Updated on September 18, 2022