|
Posted by Will on April 28, 2008, 2:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> I would like other things, like the process id that started the service,
>> the
>> user name /security context, name of program running in that process etc.
>>
>> We have programmers who could write this program, or we could go with a
>> script, but I'm trying to find something off the shelf first.
>
> I sort of doubt you are going to find all of that off-the-shelf Will.
> The reason is that you imply reading into the security log, as the
> history of who started / altered the service is not kept by the SCM
> so querying the SCM state will not show process that started etc.
> Also, just how much other than "service xyz entered started state"
> sort of event messages depends on OS version.
> You might want to think about guaranteeing sufficent items are
> logged to event logs, and then have a little monitoring service
> that uses eventing to subscribe to event log messages of interest.
> When a service transitions it could at least snapshot what is
> running on the system.
Roger, running with this idea, what level of Windows event auditing is
required to capture start and stop information for a service?
Will any audit setting guarantee an eventviewer message showing change of
the service start status from - for example - Disabled to Automatic?
--
Will
| 
XML site map