Windows service stopping or deactivating is not very common, but can sometimes occur. The biggest problem here is that there is no way to know which process has stopped or updated Windows services on Windows 10. This is where you need a program that can audit these services. It is useful with personalized services more prone to these problems. Windows Service Auditor is a free program that lets you track these services. Windows Service Auditor will tell you which process has stopped, started, deleted, or updated Windows services. It will keep a log of the user, time and the process that made the changes.
Find the process that stopped or started Windows services
Windows Service Auditor is a free and portable application that allows you to perform a detailed audit. It can also probe Windows event logs for better insight. Windows offers some tools, but it doesn’t help the general public. Tools such as the Event Viewer and AuditPol provide a detailed view, but they are not useful. You must be an expert to understand and debug these problems.
Windows Service Auditor features
- Works with domain computers, local and global audit policies
- Track the program that stopped or removed the Windows service
- When did the service start and what time did it start
- Any startup error for services
How to use Windows Service Auditor
Since it is a surveillance service, it cannot do everything alone. You will have to choose the service to follow. At the same time, you can stop, start services if necessary. Here’s how to use the service configuration audit.
1]The initial configuration
It is a portable application, so be sure to download and keep it somewhere where it will not be deleted. Also, be sure to configure it to launch when the computer starts, so that the audit does not miss tracking. Launch the application and you will see two parts: the list of Windows services and the event logs. The latter reveals any event log connected to the selected service.
2]Enable advanced security auditing
Windows does not keep track of some of the advanced features as default settings. You will need to enable advanced security auditing to capture the details. The good thing is that using Windows Service Auditor; you can activate it immediately.
Click on the Application menu, then select “Activate local audit policy”. This option is automatically enabled by default, but if you want to disable it, this is the menu you need to access. By enabling this, Windows will now monitor the audit based on the following
- Access to other objects
- Handle handling
- Security system extension
3]Monitor a service
The last step is to select a service, then click on the “Eye” icon in the top menu to start monitoring it. Once activated, notice an “eye” icon next to the service that is being monitored. Select it and you will have details in the Events section. It will include all the modifications made by a program or a user with a time stamp. There is no way to activate it for multiple services, and it will not work for all services, but only those that are not under the control of the system. With the audit strategy in place, Windows captures detailed audit events every time someone tries to start, stop, or update your service.
You can also activate auditing for any service using the menu option available under services.
How Windows Service Auditor Works on Domain Computers
Although you can activate it on any computer in the domain, there is a downside. Any changes made by Windows Service Auditor will be overwritten the next time the server updates the policy. You will need to manually update the global audit policy again to enable advanced auditing. Microsoft has detailed documentation on how you can update the overall audit strategy.
Just like modifying the local policy, you will need to configure the system to audit events when accessing other objects, manipulating the handle and extending the security system. It is available under Security Settings.
Download it from Official page.
I hope the message was easy to follow and that you were able to activate Advanced security audit for Windows services on Windows 10.