Discover who started, stopped or changed your Windows Service
Free!

Easily find out who started, stopped or updated your Windows Services with Windows Service Auditor

Our free, portable utility enables advanced auditing and probes the Windows Event Logs to help you investigate your important services

Free For Windows 10/8 & Server 2019/2016/2012

It can be very difficult to figure out who (or what) keeps messing with your essential Windows Services.

Microsoft has provided a few administrative tools to help (such as auditpol and the Event Viewer) but they are poorly documented and can be tricky to configure.

So we created Windows Service Auditor — a free, easy-to-use application that shines a light on your services.

Use Windows Service Auditor to help you answer burning questions, such as:

  • Who stopped my Windows Service?
  • When was my service started?
  • Who deleted my service?
  • At what time did my service start?
  • Did my service encounter any errors after it was started?

The intuitive interface makes it super easy to perform your detective work:


Top

How to use Windows Service Auditor

  1. Download Windows Service Auditor. Save the executable file on your desktop, or to another well-known location on your computer.

  2. Double-click the WindowsServiceAuditor.exe file to launch the program on your desktop. If necessary, confirm the User Account Control (UAC) security prompt to proceed:

  3. The window that comes up is divided into two parts. The upper pane lists every service installed on your computer while the lower panel shows the events associated with the service selected in the upper pane.

    For example, here you can see the Windows Update service selected:

    Double-click a row in the lower panel to see the event's details:

  4. Unfortunately the majority of the service events will not show the account that performed the operation. That is because Windows does not keep track of user information by default. You must enable advanced security auditing to capture that level of detail.

    Windows Service Auditor makes it easy to enable auditing for your service. Simply select Enable Auditing from the Service menu:

    You will be prompted if your computer's Local Audit Policy must be updated. Click OK to proceed:

  5. With the audit policy in place, Windows will capture detailed audit events whenever anyone tries to start, stop or update your service.

    For example, this event tells us that the "Administrator" account started the Windows Update service today at 4:43 PM:



Top

Working with Local & Global Audit Policies

In order to track users who are starting, stopping or updating a Windows Service, several advanced security audit policies must be enabled. These include:

Windows Service Auditor will automatically update your computer's local audit policy the first time that you enable auditing for a service. From that point on, the Event Logs will capture detailed records related to your service.

Note: At any time, you can disable advanced auditing in the areas above by simply un-checking Enable Local Audit Policy, available from the Application menu:

Of course, that will disable auditing for all services.

Domain Computers: Update the Global Audit Policy

If your computer is part of a domain, any changes made by Windows Service Auditor will be overwritten the next time the policy is refreshed by the server. You will have to update the Global Audit Policy yourself to enable advanced auditing.

This guide describes how to update the Global Audit Policy. Configure the system to audit success events in the Other Object Access, Handle Manipulation and Security System Extension areas, which can all be found in the Security Settings / Advanced Audit Policy Configuration / Audit Policies / Object Access section.


Download

Download Windows Service Auditor Version 1.7 New!

1.7 MB EXE
  • Ready-to-run/portable — no installation
  • For Windows 10/8 and Windows Server 2019/2016/2012
Our customers include...