The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,512 other followers

eventviewer – filtering on service stop/start events

Posted by jpluimers on 2018/12/27

Based on eventviewer – View Shutdown Event Tracker logs under Windows Server 2008 R2 – Server Fault « The Wiert Corner – irregular stream of stuff, I’ve made similar filters for service stop/start events.

Works on translated systems:

PowerShell
Get-EventLog System | Where-Object {$_.EventID -eq "7036"} | ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

Or on one line:

Get-EventLog System ^| Where-Object {$_.EventID -in "6005","6006","7000","7009","7036","7040","7042","7043","7045"} ^| ft Machinename, TimeWritten, UserName, EventID, Message -AutoSize -Wrap

Note the -In operator was introduced in PowerShell 3: [WayBack]

Source: PowerShell v3 – New -in Operator | Jonathan Medd’s Blog

I’ve adapted the custom view to include all these event IDs above (note some links have disappeared moving my notes to a blog post):

  • [WayBack] 6005: The Event log service was started (indication for system startup).
  • [WayBack] 6006: The Event log service was stopped (indication for system shutdown).
  • [WayBack] 7000: The <servicename> service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion.
  • [WayBack] 7009: A timeout was reached (30000 milliseconds) while waiting for the <servicename> service to connect.
  • [WayBack] 7036:
    • The <servicename> service entered the stopped state.
    • The <servicename> service entered the running state.
  • [WayBack] 7040: The start type of the <servicename> service was changed from demand start to auto start.
  • [WayBack] 7042: The <servicename> service was successfully sent a stop control.
  • [WayBack] 7043: The <servicename> service did not shut down properly after receiving a preshutdown control.
  • [WayBack] 7045: A service was installed in the system.

Other event IDs that might be relevant via [WayBack] Windows Server restart / shutdown history – Server Fault:

  • [WayBack] 6008: “The previous system shutdown was unexpected.” Records that the system started after it was not shut down properly.
  • [WayBack] 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
  • [WayBack] 6013: Displays the uptime of the computer. There is no TechNet page for this id.
  • [WayBack] 1074: “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown.
  • [WayBack] 1076: “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
  • [WayBack] 41 (source: Microsoft-Windows-Kernel-Power)
  • [WayBack] 1001: (source: BugCheck).
  • [WayBack] 12, which is typically the first eventid to be logged after a reboot/reset etc and shows the actual “system start time”, i.e.: “The operating system started at system time ‎2017‎-‎09‎-‎19T02:46:06.582794900Z.”

A more complete list of Windows Kernel related Event IDs is at [WayBack] rootkit.com/NETEVENT.H at master · bowlofstew/rootkit.com.

Steps for the custom view:

Open Event Viewer then

  • Right click Custom Views
  • Click Create Custom View
  • Under the Filter tab
    • Keep Logged as Any time
    • Select all the Event level types (Critical, Warning, etc.)
    • Choose by source = Service Control Manager, Service Control Manager Performance Diagnostic Provider
    • Optionally; For Event ID under the Includes/Excludes Event IDs section enter 6005,6006,7000,7009,7036,7040,7042,7043,7045 for the Event ID
  • Click Ok
  • Enter a name like Shutdown Events and any description then
  • Click Ok again to complete the custom event log.

Your new custom view should show up in the list of custom views with the correct filter applied.

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: