1

Does Windows 10 keep a log of when/which services were enabled/disabled?

How would a person locate this information?

Thanks!

Improve this question
4
  • serverfault.com/questions/855238/…
    – HelpingHand
    Commented Aug 17, 2020 at 13:42
  • 2
    Get-WinEvent -FilterHashtable @{logname='system'; id=7040} | Where-Object {$_.message -like "*to disabled*"}
    – HelpingHand
    Commented Aug 17, 2020 at 13:47
  • @HelpingHand, really, this suffices as a working answer... I'd just add run this in PowerShell ;-) One might also suggest using Nirsoft's Full Event Log Viewer, which has search capability.
    – DrMoishe Pippik
    Commented Aug 17, 2020 at 16:47
  • @DrMoishePippik - I added an answer. Thanks
    – HelpingHand
    Commented Aug 18, 2020 at 21:31

1 Answer 1

Reset to default
1

The Windows Event Log, available by running eventvwr, records interactions with the Service Control Manager. In this case we are interested in the System log, the Source is Service Control Manager and the EventID is 7040.

An example event, exported to XML is as follows:

Log Name:      System
Source:        Service Control Manager
Date:          17/08/2020 14:11:08
Event ID:      7040
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      asus
Description:
The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7040</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2020-08-17T13:11:08.7830390Z" />
    <EventRecordID>47575</EventRecordID>
    <Correlation />
    <Execution ProcessID="944" ThreadID="19856" />
    <Channel>System</Channel>
    <Computer>asus</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="param1">Background Intelligent Transfer Service</Data>
    <Data Name="param2">demand start</Data>
    <Data Name="param3">auto start</Data>
    <Data Name="param4">BITS</Data>
  </EventData>
</Event>

To export just the values of interest here, i.e. the CreationTime and Message, the following PowerShell command could be used:

Get-WinEvent -FilterHashtable @{logname='system'; id=7040} | Where-Object {$_.message -like "*disabled*"} | select TimeCreated, Message | Out-GridView

If you want to break up the parameters of the message, the following PowerShell could be used:

$Report = @()
foreach ($e in (Get-WinEvent -FilterHashtable @{logname="system"; id=7040}))
{
   $obj = [PSCustomObject]@{
    Time = $e.TimeCreated
    ServiceDisplayName = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param1']")."#text"
    OldState = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param2']")."#text"
    NewState = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param3']")."#text"
    ServiceName = ([xml]$e.ToXml()).Event.SelectSingleNode("//*[@Name='param4']")."#text"
   }
   $Report += $obj
}
$Report | Out-GridView
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .