发表新帖
发表新帖

Is it possible to log who started or stopped a windows service?

前端 未结
关注
5 1856
青春惊慌失措
青春惊慌失措 2020-12-16 12:21

I have some windows services written in C#. When somebody stops or starts the service, I would like to be able to determine who it was and log that information.

I t

相关标签:
5条回答
  • 傲寒
    2020-12-16 12:47
    • You can filter the System EventLog by Service Control Manager

    Event ID 7040 - covers Service start type change (eg disabled, manual, automatic)

    Event ID 7036 - covers Service start/stop

    For others that have PowerShell, you can use this:

    get-eventlog -source "Service Control manager" -LogName System | select message, timegenerated, username | Out-GridView

    0 讨论(0)
  • 面向向阳花
    2020-12-16 12:53

    Within the Event Viewer (Control Panel | Administrative Tools | Event Viewer) on the System tab the Service Control Manager logs who started and stop each event. I've just tested this myself and viewed the results. This leads me to two things:

    1. You may be able to query or hook those events from the Service Control Manager as they happen, or
    2. You can definitely just query the Event Viewer's "System" log to look for those events for your Service.

    Hope that leads you to your solution.

    0 讨论(0)
  • 南方客
    2020-12-16 12:55

    You can enable auditing according to this article

    http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services

    Additionally, it may be a good idea to alert email to yourself in OnStop() method.

    0 讨论(0)
  • 暗喜
    2020-12-16 13:05

    There probably isn't a way. Any of the normal .NET ways that you get at the environment's user are going to return the user whose credentials the service runs with (which will typically be SYSTEM, LOCAL SERVICE, NETWORK SERVICE, etc).

    How I'd probably do it is poll the system to see if a user is logged in, and assume that user did it. Of course, this discounts services that are shut down by the system for some reason (presumably your service would not be), and can only help you narrow it down if more than one user is logged in at one time (but then, you could always log both of them).

    0 讨论(0)
  • 半阙折子戏
    2020-12-16 13:11
    1. Just open Event Viewer (Start menu -> Search "Event" Event Viewer will come, open it)
    2. Expand 'Windows Log' on Event viewer left menu.
    3. Click on Application. (It will show your application error with description in 'general' tab.
    4. Again try to start your service and from event viewer see what is exact cause for stopping briefly in 'general' tab.
    0 讨论(0)
 看不清?
提交回复
热议问题