Who or What is Stopping a Service?

[Brad Berson]

I'm an admin for some Windows Server 2003 boxes and after some recent
changes (which backing out really is not an option), I'm finding that
on /some/ mornings one of the services mission-critical to the boxes
has been stopped.

The event log reveals that the service is being stopped on request, so
the feature for automatically restarting services does not help us.

I'm looking for a way to figure out what process - hopefully by EXE
name (and account if possible) is requesting this service to stop.

Any suggestions to help with this detective work?


Thanks,
-Brad

 

[Thota Umesh]

Hii, Use process explorer
[http://www.sysinternals.com/Utilities/ProcessExplorer.html] to view &
diagnose the services and other active programs and which programs are using
which files resources n services. so viewing on few program shd help u find
out which program is trying to stop the service.

Hope this helps..,
Umesh Thota.

 

[Joe User]

Process Explorer is a really, really cool program, but unless I'm
missing something it has no way of logging activity - it appears to be
realtime only.

If I get into the office at 9am and find that the service was shut
down at 7am it does not look like it will help me.

-Brad

Hii, Use process explorer
[http://www.sysinternals.com/Utilities/ProcessExplorer.html] to view &
diagnose the services and other active programs and which programs are using
which files resources n services. so viewing on few program shd help u find
out which program is trying to stop the service.

Hope this helps..,
Umesh Thota.

I'm an admin for some Windows Server 2003 boxes and after some recent
changes (which backing out really is not an option), I'm finding that
on /some/ mornings one of the services mission-critical to the boxes
has been stopped.

The event log reveals that the service is being stopped on request, so
the feature for automatically restarting services does not help us.

I'm looking for a way to figure out what process - hopefully by EXE
name (and account if possible) is requesting this service to stop.

Any suggestions to help with this detective work?


Thanks,
-Brad

 

[Thota Umesh]

Hmm yeah! i tht ur services was stoppin on boot or soon after. check
eventvwr.msc (event viewer) as to which program or service is triggering
this!

Also check if ur recent changes are effecting depend services as to which ur
service stop is triggered, + see timestamps and so on. also is your
application a web based (internet) or an intranet / wan / etc just to rule
out few things.

Process Explorer is a really, really cool program, but unless I'm
missing something it has no way of logging activity - it appears to be
realtime only.

If I get into the office at 9am and find that the service was shut
down at 7am it does not look like it will help me.

-Brad

Hii, Use process explorer
[http://www.sysinternals.com/Utilities/ProcessExplorer.html] to view &
diagnose the services and other active programs and which programs are
using
which files resources n services. so viewing on few program shd help u
find
out which program is trying to stop the service.

Hope this helps..,
Umesh Thota.

I'm an admin for some Windows Server 2003 boxes and after some recent
changes (which backing out really is not an option), I'm finding that
on /some/ mornings one of the services mission-critical to the boxes
has been stopped.

The event log reveals that the service is being stopped on request, so
the feature for automatically restarting services does not help us.

I'm looking for a way to figure out what process - hopefully by EXE
name (and account if possible) is requesting this service to stop.

Any suggestions to help with this detective work?


Thanks,
-Brad

 

[Joe User]

2003 is nice in that it does log all the service activities, but Event
Viewer was useful only to the point of verifying that the process
stoppage was not an abend, but a requested stop. No evidence of what
requested the service to stop, which is why I'm in a bind. I need
something at which to point a finger.

Picky details...

It's a Citrix Metaframe (Terminal Server) box. The service that's
stopping is IMAService, so if you know anything about Citrix you'll
know that's something of a show-stopper.

IMAService has the following dependencies:
RPCSS
LanmanServer
LanmanWorkstation
WMI

IMAService is a dependency of CitrixWMIService only.

Event Viewer showed no stoppage of any related services before the
stoppage of IMAService.

-Brad

Hmm yeah! i tht ur services was stoppin on boot or soon after. check
eventvwr.msc (event viewer) as to which program or service is triggering
this!

Also check if ur recent changes are effecting depend services as to which ur
service stop is triggered, + see timestamps and so on. also is your
application a web based (internet) or an intranet / wan / etc just to rule
out few things.

Process Explorer is a really, really cool program, but unless I'm
missing something it has no way of logging activity - it appears to be
realtime only.

If I get into the office at 9am and find that the service was shut
down at 7am it does not look like it will help me.

-Brad

Hii, Use process explorer
[http://www.sysinternals.com/Utilities/ProcessExplorer.html] to view &
diagnose the services and other active programs and which programs are
using
which files resources n services. so viewing on few program shd help u
find
out which program is trying to stop the service.

Hope this helps..,
Umesh Thota.

I'm an admin for some Windows Server 2003 boxes and after some recent
changes (which backing out really is not an option), I'm finding that
on /some/ mornings one of the services mission-critical to the boxes
has been stopped.

The event log reveals that the service is being stopped on request, so
the feature for automatically restarting services does not help us.

I'm looking for a way to figure out what process - hopefully by EXE
name (and account if possible) is requesting this service to stop.

Any suggestions to help with this detective work?


Thanks,
-Brad

 

[Thota Umesh]

Sorry, dont knw much abt citrix but u can try this: use PsService:
http://www.sysinternals.com/Utilities/PsService.html it contains many
features including dump service security descriptors or restarting a service
and many others use the feature to include in a schedule or a batch process
to restart the service if its stopped that should fix the problem.

Hope it helps...,
Umesh Thota
www.windowsworkshop.com

2003 is nice in that it does log all the service activities, but Event
Viewer was useful only to the point of verifying that the process
stoppage was not an abend, but a requested stop. No evidence of what
requested the service to stop, which is why I'm in a bind. I need
something at which to point a finger.

Picky details...

It's a Citrix Metaframe (Terminal Server) box. The service that's
stopping is IMAService, so if you know anything about Citrix you'll
know that's something of a show-stopper.

IMAService has the following dependencies:
RPCSS
LanmanServer
LanmanWorkstation
WMI

IMAService is a dependency of CitrixWMIService only.

Event Viewer showed no stoppage of any related services before the
stoppage of IMAService.

-Brad

Hmm yeah! i tht ur services was stoppin on boot or soon after. check
eventvwr.msc (event viewer) as to which program or service is triggering
this!

Also check if ur recent changes are effecting depend services as to which
ur
service stop is triggered, + see timestamps and so on. also is your
application a web based (internet) or an intranet / wan / etc just to rule
out few things.

Process Explorer is a really, really cool program, but unless I'm
missing something it has no way of logging activity - it appears to be
realtime only.

If I get into the office at 9am and find that the service was shut
down at 7am it does not look like it will help me.

-Brad


Hii, Use process explorer
[http://www.sysinternals.com/Utilities/ProcessExplorer.html] to view &
diagnose the services and other active programs and which programs are
using
which files resources n services. so viewing on few program shd help u
find
out which program is trying to stop the service.

Hope this helps..,
Umesh Thota.

I'm an admin for some Windows Server 2003 boxes and after some recent
changes (which backing out really is not an option), I'm finding that
on /some/ mornings one of the services mission-critical to the boxes
has been stopped.

The event log reveals that the service is being stopped on request, so
the feature for automatically restarting services does not help us.

I'm looking for a way to figure out what process - hopefully by EXE
name (and account if possible) is requesting this service to stop.

Any suggestions to help with this detective work?


Thanks,
-Brad

 

[Steven L Umbach]

You could try enabling auditing of process tracking on the computer and then
checking the security log to see what processes were run just before the
Event ID that shows that the service was stopped which may give you a clue.
Process tracking is not normally something you would want to leave enabled
however. --- Steve