How do I log or view the log of who and when a windows service gets restarted

Question

We have an app that is associated with a service and we need to track when the service is being started stopped and restarted.

Answer 1

You "may" be able to see when a service is restarted, started, or stopped for third-party software. I can see when I restarted Adobe Acrobat Update Service and a local agent in the Application logs, Event ID = 0. Unfortunately, a third attempt at restarted another local agent service failed to show here.

A dive into our SIEM, I see that under the Security events, Event ID 4688 Process Creation, you can see all successful services being ran.

If you do not have a SIEM to review logs, just use Event Viewer. Open the Security events, filter on Event ID 4688, and then click Find... and search for "C:\Windows\System32\services.exe" which is the "Creator Process Name." This will show when any executable was started via services.

The above is the same service restart for Adobe as seen in the first picture, Application log.

As for seeing when a Service stops, in the Security events, look for Event ID 4689.

I hope this helps, Justin

Answer 2

Hi Berkley,

Thanks for your post.

As far as I know, we could check services start and stop messages Within the Event Viewer (Control Panel | Administrative Tools | Event Viewer) on the System tab the Service Control Manager logs who started and stop each event. You can definitely just query the Event Viewer's "System" log to look for those events for your Service. a service starts/stops Event ID 7040 or 7036 When you find that, the "User" listed in the details below is the user that has made that change.

Hope this helps.

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.