35

I was doing some fault finding, and I've discovered two services which should be set to automatic have been set to disabled.

What is the best way to find out who did this? It could be someone from my company, or it could be someone client-side. It would be enough to determine the user account.

I've had a look in the Windows Event Viewer, but, to be honest, I'm not sure what I'm looking for, and there is a lot to work through. Nothing has jumped out at me, but I suspect it's just that I don't know what I'm looking for.

Greenonline
  • 242
Paul Brindley
  • 453

3 Answers3

47

When the start type of a service is changed, an event is recorded in the system event log , with id 7040 and source Service Control Manager.

The user that performed the operation is displayed in the event (obfuscated in the screen shot below). enter image description here

So you have to find those events in your event logs; hopefully you will directly have the user name.

If it is a generic user name, such as "administrator", then it's time to stop using generic account, and you'll have to correlate the date / time of the event with other info you could get from other log (like: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational which can give you the source IP of a remote desktop session)

Mark Amery
  • 788
JFL
  • 2,058
14

In Event Viewer, look in the "Windows Logs"->"System" event log, and filter for Source "Service Control Manager" and Event ID 7040. Find the event saying "The start type of the service was changed from original start type to disabled" for the service you're interested in. When you find that, the "User" listed in the details below is the user that has made that change.

Pak
  • 919
0

If a process is running as SYSTEM, is there a way to know what process actually disabled the service? How may I know the process (using the SYSTEM credential) that disabled the service?

José Rafael Mendoza
  • 1