2
After a service is stopped in Windows Server 2016 in the System Windows Event Log appears an event ID 7036 with a message like
The (ServiceName) service entered the (StatusName) state.
But in Windows 10 no "service stopped" event appears in the System Windows Event Log (no filters are applied).
Is there any way to turn these messages on in Windows 10?
Ganya
Posted 2018-03-05T06:24:03.057
Reputation: 25
1
It looks like 7036 event is missing from Windows desktop OS (starting from 8). However you can monitor process termination:
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies - Local Group -> Detailed Tracking -> Audit Process Termination.
Alternatively you may try this solution.
But in this case, you will get event 4546 not only when the service starts or stops, but whenever something is trying to access it (e.g. when Services applet is open).
Michael Karsyan
Posted 2018-03-05T06:24:03.057
Reputation: 364
It does completely what I expected it to do. However, there is no additional information about the origin of the stop event, so for my particular case, described in the comment to the question, Event Log is useless (unfortunately). – Ganya – 2018-03-07T06:47:53.733
Actually, I am trying to resolve an issue related to my service: it suddenly receives a stop message of unknown origin. I did not stop it manually so I wanted to find out what happened to it and realized that there is no message about this in Event Log. – Ganya – 2018-03-05T06:24:15.340