Windows 服务(Windows Service)停止或禁用并不常见,但有时会发生。这里最大的问题是无法找出哪个进程(Process)停止或更新了Windows 10上的Windows 服务(Windows Services)。这就是您需要一个可以审计此类服务的程序的地方。它与更容易出现这些问题的自定义服务一起使用。Windows Service Auditor是一个免费程序,可让您跟踪此类服务。Windows Service Auditor将告诉您哪个进程停止、启动、删除或更新了Windows服务(Services)。它将记录用户、时间和进行任何更改的过程。
查找(Find)哪个进程停止或启动了Windows 服务(Services)
Windows Service Auditor是一个免费的可移植应用程序,可让您执行详细的审核。它还可以探测Windows 事件日志(Windows Event Logs)以提供更好的洞察力。Windows 确实提供了一些工具,但它们对普通消费者没有帮助。Event Viewer和AuditPol等工具提供了详细的视图,但它们没有帮助。您需要成为专家才能理解和调试这些问题。
Windows 服务审核员的功能
- 适用于域计算机、本地和全局审计策略
- 跟踪哪个程序停止或删除了Windows 服务(Windows Service)
- 服务何时启动,服务何时启动
- 服务的任何启动错误
如何使用 Windows 服务审核员
由于这是一个监控服务,它不能自己做所有的事情。您必须选择应跟踪的服务。除此之外,您还可以根据需要停止、启动服务。以下是如何使用服务的设置审核。
1]初始设置
这是一个可移植的应用程序,因此请务必下载并将其保存在不会被删除的地方。此外,请确保将其设置为在计算机启动时启动,这样审核就不会错过跟踪。启动应用程序,您将看到两部分——Windows 服务(Services)列表和事件(Event)日志。后者显示连接到所选服务的任何事件日志。
2 ]启用高级安全审计(] Enable Advanced Security Auditing)
Windows不跟踪某些高级功能作为默认设置。您将需要启用高级安全审核以捕获详细信息。好处是使用Windows Service Auditor;您可以立即启用它。
单击(Click)应用程序(Application)菜单,然后选择“启用本地审计策略”。此选项默认自动启用,但如果您想禁用它,这是您需要访问的菜单。启用此功能后,Windows现在将根据以下内容监控审核
3]监控服务
最后一步是选择一个服务,然后点击顶部菜单上的“眼睛”图标开始监控它。启用后,请注意正在监视的服务旁边的“眼睛”图标。选择它,您将在“事件”部分获得详细信息。它将包括程序或用户所做的所有更改以及时间戳。无法为多个服务启用它,并且它不适用于所有服务,而仅适用于不受系统控制的服务。审核策略到位后,Windows将在任何人尝试启动、停止或更新您的服务时捕获详细的审核事件。
您还可以使用服务下可用的菜单选项为任何服务启用审核。
Windows Service Auditor如何在域(Domain)计算机上工作
虽然您可以在属于域的任何计算机上启用它,但有一个缺点。下次服务器刷新策略时, Windows Service Auditor所做的任何更改都将被覆盖。您必须再次手动更新全局审核策略(Global Audit Policy)以启用高级审核。Microsoft提供了有关如何更新全局审计策略的(Policy)详细文档(detailed documentation)。
就像本地策略(Policy)编辑一样,您需要将系统配置为审核 Other Object Access、 Handle Manipulation和 Security System Extension中的事件。它在安全设置(Security Settings)下可用。
从官方页面(official page)下载。
我希望这篇文章很容易理解,并且您能够在 Windows 10 上为 Windows 服务启用高级安全审核。(Advanced Security Auditing )
How to find which process stopped or started Windows Services
Windows Service getting stopped or disabled is not very common, but can happen at times. The biggest problem here is that there is no way to find out which Process stopped or updated the Windows Services on Windows 10. That is where you need a program that can audit such services. It comes in handy with custom services that are more prone to these issues. Windows Service Auditor is a free program that allows you to keep track of such services. Windows Service Auditor will tell you which process stopped, started, deleted, or updated Windows Services. It will keep a log on the user, time, and the process which made any change.
Find which process stopped or started Windows Services
Windows Service Auditor is a free, portable application that allows you to perform detailed auditing. It can also probe the Windows Event Logs to give better insight. Windows do offer some tools, but they don’t help a general consumer. Tools such as Event Viewer and AuditPol provides a detailed view, but they are not helpful. You need to be an expert to understand and debug those issues.
Features of Windows Service Auditor
- Works with domain computers, local and global audit policies
- Track which program stopped or deleted Windows Service
- When was the service started and at what time did the service start
- Any startup error for the services
How to use Windows Service Auditor
Since this is a monitoring service, it cannot do everything on its own. You will have to choose which service should be tracked. Along with it, you can stop, start services if needed. Here is how to use setup auditing of the service.
1] Initial Setup
It’s a portable application, so make sure to download and keep it at a place from where it doesn’t get deleted. Also, make sure to set it to launch as the computer starts, so the auditing doesn’t miss tracking. Launch the application, and you will get to see two parts—List of Windows Services, and Event logs. The later reveals any event log connected to the selected service.
2] Enable Advanced Security Auditing
Windows don’t keep track of some of the advanced features as the default settings. You will need to enable advanced security auditing to capture the details. The good thing is that using Windows Service Auditor; you can enable it right away.
Click on the Application menu and then select “Enable Local Audit Policy .” This option is automatically enabled by default, but if you wish to disable it, this is the menu you need to access. Enabling this, Windows will now monitor auditing based on the following
- Other Object Access
- Handle Manipulation
- Security System Extension
3] Monitor a Service
The last step is to select a service, and then click on the “Eye” icon on the top menu to start monitoring it. Once enabled, notice an “Eye” icon next to the service which is being monitored. Select it, and you will have details in the Events section. It will include all the changes made by a program or a user along with a timestamp. There is no way to enable it for multiple services, and it will not work for all services, but only those that are not under system control. The audit policy in place, Windows will capture detailed audit events whenever anyone tries to start, stop, or update your service.
You can also enable auditing for any service using the menu option available under services.
How Windows Service Auditor works on Domain Computers
While you can enable it on any computer which is part of the domain, there is one drawback. Any changes made by Windows Service Auditor will be overwritten the next time the server refreshes the policy. You will have to manually update the Global Audit Policy again to enable advanced auditing. Microsoft has detailed documentation on how you can update the global Audit Policy.
Just like Local Policy editing, you will need to configure the system to audit events in the Other Object Access, Handle Manipulation, and Security System Extension. It is available under Security Settings.
Download it from the official page.
I hope the post was easy to follow, and you were able to enable Advanced Security Auditing for Windows Services on Windows 10.
