The Core Technologies Blog

Our Software // Windows Services // 24×7 Operation


Q&A: What changed with my Windows Services?

Q&A: What changed with my Windows Services?
  How can I tell if someone updated the services on our Windows 2019 server? Do you have any tools for that?

— Sheldon P.

Hi Sheldon.

Since Windows Services run with high privileges, it’s very important to keep an eye on them. And because of their inherent power, services are a prized target for bad actors looking to hack your system.

Indeed, 2020’s SolarWinds supply chain exploit — one of the worst attacks in the past decade — featured a rogue Windows Service depositing malware in the background. A periodic review of the list of services could have identified the compromise months earlier.

Anyway, our free Windows Service Auditor is an excellent monitoring tool that can help you in your situation. Follow these instructions to keep a watchful eye on your mission-critical servers.

1. Download & run Windows Service Auditor

Windows Service Auditor is portable application, meaning that you don’t need to install it. Simply download the executable file and place it in a folder where you can easily find it.

Double-click the file to start it. In a few seconds, a window listing all your Windows Services will appear:

Windows Service Auditor

2. Update your computer’s security policy to allow advanced auditing

By default, Windows does not keep track all changes made to Windows Services. That capability must be enabled via advanced security audit policies. Specifically, you need to watch for:

Windows Service Auditor makes it easy to enable that auditing in your local policy. To do so, open the Application menu and ensure that the Enable Local Audit Policy entry is checked:

Enable Local Audit Policy settings

3. Enable auditing for important Windows Services, to track who starts/stops/changes them

Do you care about the activities of a specific Windows Service? Even though we have enabled advanced auditing in step 2, you must enable auditing for each service that you would like to monitor.

To enable auditing of a service in Windows Service Auditor, highlight the service and check the Selected Service > Enable Auditing menu entry:

Enable service auditing

With auditing in place for a service, the Windows Event logs will record an event whenever someone attempts to start, stop or modify the service. And to save you from hours of digging through the Event Viewer, Windows Service Auditor will collect those records in the lower Events panel:

Examining the Windows Update service

4. Capture a baseline snapshot of all services running on your machine

To capture a snapshot of all the services running on your computer:

  1. Start Windows Service Auditor;

  2. Select All Services > Export (XML);

  3. Choose a file name where the services should be saved.

The file will contain an XML record for each service installed on your computer:

Windows Service Auditor: All services XML export

5. Compare future snapshots to the baseline, to identify changes

Whenever you want to check if any services have changed, you should:

  1. Create a new snapshot XML file, as described in the previous section;

  2. Using your favorite text comparison tool, compare the new snapshot to the baseline you established in the previous section.

The text comparison tool will highlight all changes that have taken place in between the snapshots.

We recommend using WinMerge — a free, mature text differencing tool for Windows.

For example, we established a baseline snapshot on December 29. On December 31, we wanted to see what changed with services so we took another snapshot. Afterwards, comparing the two snapshots with WinMerge identified 8 differences, including one showing that the TrustedInstaller service was stopped:

Compare service snapshots with WinMerge

Best of luck managing your system!

Posted in Windows Services | Tagged , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *