locked
How to find out who started or stopped or restated a windows specific service through power-shell RRS feed

  • Question

  • How to find out who started or stopped or restated  a windows specific service through power-shell

    Ananda

    Monday, August 24, 2020 1:05 PM

All replies

  • This probably belongs in the powershell forum.. but you will be able to find events relating to manual shutdown of services. However, since Windows 2003, I think they removed the logging of the user who was responsible. This log filters the last 100 events related to the Service control manager. As you can see the username is blank or N/A.

    Get-Eventlog -source "Service Control manager" -LogName System -Newest 100 | Select message, timegenerated, username | Out-GridView


    Seth

    A user just like you

    Tuesday, August 25, 2020 3:29 AM
  • Hi Seth,

    Thanks for reply but its not working  whenever i run this script the error are coming

    just i have changed the "Service Control manager" to "SplunkForwarder"

    PS C:\Windows\system32> Get-Eventlog -source "SplunkForwarder" -LogName System -Newest 10 | Select message, timegenerated, username | Out-GridView

    Get-Eventlog : No matches found
    At line:1 char:1
    + Get-Eventlog -source "SplunkForwarder" -LogName System -Newest 10 | S ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentException
        + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand


    Ananda

    Tuesday, August 25, 2020 7:22 PM
  • @Amanda-M

    You need to keep "Service Control Manager" intact and try filtering for Splunk using Where-Object:

    Get-Eventlog -source "Service Control manager" -LogName System -Newest 100 | Select message, timegenerated, username | Where-Object Message -like "*Splunk*"


    Seth

    A user just like you

    Wednesday, August 26, 2020 3:44 PM
  • Thanks for reply 

    we are trying but user name not coming means which user restated  or stop this service please find the below snap



    Ananda

    Friday, August 28, 2020 11:52 AM
  • @AMANDA-M

    You should probably enable auditing on the service or services in question. Here is an example with SplunkForwarder (From elevated command prompt):

    sc sdshow SplunkForwarder > Splunk.txt


    Open the text file and append this to the end and copy the full string

    (AU;SAFA;RPWPDT;;;WD)


    Now paste the full string into the sc sdset command like this:

    sc sdset SplunkForwarder D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)(AU;SAFA;RPWPDT;;;WD)


    Run the following commands to enable auditing:

    auditpol /set /category:"Object Access" /success:enable /failure:disable
    
    auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:disable

    You can manually test this (After hours or with test server) by stopping the newly audited service:

    Go to Event Viewer --> Right-click Security and select Custom view --> Click XML Tab and Edit query manually check box --> Paste this code and save as StopSplunkView or something:

    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4656)]] and *[EventData[Data[@Name='ObjectServer'] and (Data='SC Manager')]] and *[EventData[Data[@Name='ObjectType'] and (Data='SERVICE OBJECT')]] and *[EventData[Data[@Name='ObjectName'] and (Data='SplunkForwarder')]] and *[EventData[Data[@Name='AccessMask'] and (Data='0x24')]] </Select>
      </Query>
    </QueryList>

    This custom view will filter Event ID 4656 which will be logged with the username who shut down the service.


    Seth

    A user just like you


    • Edited by SethWH Friday, August 28, 2020 6:20 PM Clarity
    Friday, August 28, 2020 4:24 PM