Easily find out who started, stopped or updated your Windows Services with Windows Service Auditor

It can be very difficult to figure out who (or what) keeps messing with your essential Windows Services.

Microsoft has provided a few administrative tools to help (such as auditpol and the Event Viewer) but they are poorly documented and can be tricky to configure.

So we created Windows Service Auditor — a free, easy-to-use application that shines a light on your services.

Use Windows Service Auditor to help you answer burning questions, such as:

The intuitive interface makes it super easy to perform your detective work:

How to use Windows Service Auditor

1. Download Windows Service Auditor. Save the executable file on your desktop, or to another well-known location on your computer.

2. Double-click the WindowsServiceAuditor.exe file to launch the program on your desktop. If necessary, confirm the standard User Account Control (UAC) security prompt to proceed:

   

3. The window that comes up is divided into two parts. The upper pane lists every service installed on your computer while the lower panel shows the events associated with the service selected in the upper pane.

   For example, here you can see the Windows Update service selected:

   

   Double-click a row in the lower panel to see the event's details:

   

4. Unfortunately the majority of the service events will not show the account that performed the operation. That is because Windows does not keep track of user information by default. You must enable advanced security auditing to capture that level of detail.

   Windows Service Auditor makes it easy to enable auditing for your service. Simply check Enable Auditing from the Service menu:

   

   You will be prompted if your computer's Local Audit Policy must be updated. Click OK to proceed:

   

5. With the audit policy in place, Windows will capture detailed audit events whenever anyone tries to start, stop or update your service.

   For example, this event tells us that "Mike Jones" stopped the Windows Update service today at 10:51 AM:

   

Exporting your services

Would you like to keep a record of the Windows Services installed on your machine? If so, select All Services > Export (XML) to have Windows Service Auditor save all your services to an XML file:

The XML will contain an entry for each service, including dependencies, recovery/failure options, triggers and more.

Note that you can select Selected Service > Export (XML) to save a single service instead.

Working with Local & Global Audit Policies

In order to track users who are starting, stopping or updating a Windows Service, several advanced security audit policies must be enabled. These include:

• Other Object Access
• Handle Manipulation
• Security System Extension

Windows Service Auditor will automatically update your computer's local audit policy the first time that you enable auditing for a service. From that point on, the Event Logs will capture detailed records related to your service.

Note: At any time, you can disable advanced auditing in the areas above by simply un-checking Enable Local Audit Policy, available from the Application menu:

Of course, that will disable auditing for all services.

Domain Computers: Update the Global Audit Policy

If your computer is part of a domain, any changes made by Windows Service Auditor will be overwritten the next time the policy is refreshed by the server. You will have to update the Global Audit Policy yourself to enable advanced auditing.

This guide describes how to update the Global Audit Policy. Configure the system to audit success events in the Other Object Access, Handle Manipulation and Security System Extension areas, which can all be found in the Security Settings / Advanced Audit Policy Configuration / Audit Policies / Object Access section.