I'm having the same issue - Has anyone found a fix?
"Craig Williams" wrote:
> On Jan 28, 1:35 pm, Craig Williams <csw...@gmail.com> wrote:
> > In the 2003/XP days I'm used to seeing events 7035 AND 7036 in the
> > system log when someone stops or starts a service.
> > 7035 reported who sent the Stop/Start Control
> > 7036 reported the state of the service after that control command
> >
> > Event Type: Information
> > Event Source: Service Control Manager
> > Event Category: None
> > Event ID: 7035
> > Date: 1/27/2010
> > Time: 10:39:03 AM
> > User: ACME\csw1 <====== INFO I NEED
> > Computer: ILCH-68889
> > Description:
> > The Telnet service was successfully sent a start control.
> >
> > Event Type: Information
> > Event Source: Service Control Manager
> > Event Category: None
> > Event ID: 7036
> > Date: 1/27/2010
> > Time: 10:39:03 AM
> > User: N/A
> > Computer: ILCH-68889
> > Description:
> > The Telnet service entered the running state.
> >
> > The problem I'm having with Server 2008 is that it ONLY records a 7036
> > and I can't tell WHO did it because the 7035 is missing. I also
> > reviewed the security log on 2008, but was not able to find a
> > correlating event there to identify the who. How do you determine the
> > WHO did it under 2008?
> > Thanks in advance
> >
> > Log Name: System
> > Source: Service Control Manager
> > Date: 1/27/2010 3:10:58 PM
> > Event ID: 7036
> > Task Category: None
> > Level: Information
> > Keywords: Classic
> > User: N/A
> > Computer: Craig2008.acme.com
> > Description:
> > The World Wide Web Publishing Service service entered the running
> > state.
> > Event Xml:
> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> > <System>
> > <Provider Name="Service Control Manager" Guid="{555908D1-
> > A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control
> > Manager" />
> > <EventID Qualifiers="16384">7036</EventID>
> > <Version>0</Version>
> > <Level>4</Level>
> > <Task>0</Task>
> > <Opcode>0</Opcode>
> > <Keywords>0x80000000000000</Keywords>
> > <TimeCreated SystemTime="2010-01-27T21:10:58.000Z" />
> > <EventRecordID>39744</EventRecordID>
> > <Correlation />
> > <Execution ProcessID="0" ThreadID="0" />
> > <Channel>System</Channel>
> > <Computer>Craig2008.acme.com</Computer>
> > <Security />
> > </System>
> > <EventData>
> > <Data Name="param1">World Wide Web Publishing Service</Data>
> > <Data Name="param2">running</Data>
> > </EventData>
> > </Event>
>
> Is there really no one that knows how to determine the user who stops/
> starts a service? MVPs?
> .
>
|
Similar Threads
Linear Mode
