Windows Service getting stopped or disabled is not very common, but can sometimes happen. The biggest problem here is that there is no way to find out which Process stopped or updated the Windows Services on Windows 11/10. That is where you need a program that can audit such services. It comes in handy with custom services more prone to these issues. Windows Service Auditor is a free program allowing you to track such services. Windows Service Auditor will tell you which process stopped, started, deleted, or updated Windows Services. It will keep a log of the user, time, and the process that made any change.
Find which process stopped or started Windows Services
Windows Service Auditor is a free, portable application that allows you to perform detailed auditing. It can also probe the Windows Event Logs to give better insight. Windows does offer some tools, but they don’t help a general consumer. Tools such as Event Viewer and AuditPol provides a detailed view, but they are not helpful. It would be best if you were an expert to understand and debug those issues.
Features of Windows Service Auditor
- Works with domain computers, local and global audit policies
- Track which program stopped or deleted Windows Service
- When was the service started and at what time did the service start
- Any startup error for the services
How to use Windows Service Auditor
Since this is a monitoring service, it cannot do everything on its own. You will have to choose which service should be tracked. Along with it, you can stop and start services if needed. Here is how to use setup auditing of the service.
1] Initial Setup
It’s a portable application, so make sure to download and keep it in a place where it doesn’t get deleted. Also, set it to launch as the computer starts so the auditing doesn’t miss tracking. Launch the application, and you will see two parts—List of Windows Services, and Event logs. The latter reveals any event log connected to the selected service.
2] Enable Advanced Security Auditing
Windows doesn’t keep track of some advanced features as the default settings. You will need to enable advanced security auditing to capture the details. The good thing is that using Windows Service Auditor, you can enable it right away.
Click on the Application menu and select “Enable Local Audit Policy .” This option is automatically enabled by default, but if you wish to disable it, this is the menu you need to access. Enabling this, Windows will now monitor auditing based on the following:
- Other Object Access
- Handle Manipulation
- Security System Extension
3] Monitor a Service
The last step is to select a service, and then click on the “Eye” icon on the top menu to start monitoring it. Once enabled, notice an “Eye” icon next to the service that is being monitored. Select it, and you will have details in the Events section. It will include all the changes a program or user makes, along with a timestamp. There is no way to enable it for multiple services, and it will not work for all services, but only those that are not under system control. With the audit policy in place, Windows will capture detailed audit events whenever anyone tries to start, stop, or update your service.
You can also enable auditing for any service using the menu option under services.
How Windows Service Auditor works on Domain Computers
While you can enable it on any computer that is part of the domain, there is one drawback. Any changes made by the Windows Service Auditor will be overwritten the next time the server refreshes the policy. You will have to manually update the Global Audit Policy again to enable advanced auditing. Microsoft has detailed documentation on how you can update the global Audit Policy.
Like Local Policy editing, you must configure the system to audit events in the Other Object Access, Handle Manipulation, and Security System Extension. It is available under Security Settings.
Download it from the official page.
How to determine who stopped a Windows Service?
To determine who stopped a Windows service, open Event Viewer, navigate to Windows Logs > System, and filter for event IDs related to the Service Control Manager (event ID 7040 for stop events). Check the details to identify the user responsible.
How to check Windows service restart history?
To check Windows service restart history, open “Event Viewer” and navigate to “Windows Logs” > “System.” Look for event IDs related to service restarts. Common IDs include 7036 and 7035, which indicate service events like starting, stopping, or restarting.
Where to check Windows service logs?
To check Windows service logs, go to Start > Control Panel > System and Security > Administrative Tools, then double-click Event Viewer. In Event Viewer, select the type of logs you wish to review, such as Windows Logs.
How do you check who disabled a Windows Service?
In Event Viewer, navigate to “Windows Logs” > “System” and filter by “Service Control Manager” with Event ID 7040. Locate events indicating “The start type of the service was changed” to see who disabled the service.
