Auditing Services

[Tony Stark]

Hello,

I have been given the task to audit when someone turns off
a service on a Win2K server and possibly who the user
might be, does anyone know how I could accomplish this? I
do not know of any way to do this in Windows Auditing.

Thank you,
Tony

 

[Steven L Umbach]

I believe you will find those events in the system log of Event Viewer. --- Steve

 

[Tony Stark]

Thanks for the reply Steve, The service isn't showing up
in the logs, it is a service installed by an application.
Do you think there is a way to do a registry hack to force
the notification of the service shutdown?

Thank you,

Tony

 

[Steven L Umbach]

Hi Tony. The only thing I can think of, if you have not done so, is to enable
auditing of system events for that machine. I have that enabled on one of my test
machines and it records every service being stopped/started - even non default ones
such as Norton, personal firewall, and Nvidia driver helper. --- Steve

http://www.microsoft.com/mspress/security/tips/041102.asp

 

[Tony Stark]

Eric,

Thank you very much! I am going to give this a try first
thing Thursday morning!! You are a lifesaver!! Are there
any articles around detailing this procedure? I have
printed out some whitepapers but they have been more "in
general" and not this deep. I can use this in so many ways!

It is reassuring to know you guys are watching the news
groups!

Thank you again!

Tony