Forum Discussion

Ruheena's avatar
Ruheena
Former Employee
Sep 04, 2019
Solved

Query for Window Services State when one service is running and other one is stopped

Hi, I am trying to write a query to get results when ‘Service A’ is in running state and ‘Service B’ is in stopped state. I am getting 0 results when I am sure that it is not correct. Below is the ...
azure monitor
Query Language
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Sep 04, 2019

    HiRuheena 

    I believe the example query on the blog post is the following:

    Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

    I currently do not have env to test the data but in order to do what you want to do you have to create two separate queries  and join or unify the results. I assume that by your request it is unification rather join. The query will be the following:

    let ServiceARunning = Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service A' and  Windows_Service_State == 'running';
Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service B' and  Windows_Service_State == 'stopped' | union ServiceARunning
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

    Additionally if you have Change Tracking solution enabled you might want to use that as it has as low as 30 seconds of gathering data for stopped/started services.

    The example would be:

    let SvcAStopped = ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Windows Error Reporting Service' and SvcState == 'Stopped';
ConfigurationChange 
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Network Setup Service' and SvcState == 'Running' 
| union SvcAStopped
| sort by TimeGenerated desc
| project Computer, SvcDisplayName, SvcState, TimeGenerated

    As I have said we are doing union in both queries - basically just merging the two tables without having to match specific records.

     

    I hope this answers your question.

     

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Sep 04, 2019

HiRuheena 

I believe the example query on the blog post is the following:

Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

I currently do not have env to test the data but in order to do what you want to do you have to create two separate queries  and join or unify the results. I assume that by your request it is unification rather join. The query will be the following:

let ServiceARunning = Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service A' and  Windows_Service_State == 'running';
Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service B' and  Windows_Service_State == 'stopped' | union ServiceARunning
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Additionally if you have Change Tracking solution enabled you might want to use that as it has as low as 30 seconds of gathering data for stopped/started services.

The example would be:

let SvcAStopped = ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Windows Error Reporting Service' and SvcState == 'Stopped';
ConfigurationChange 
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Network Setup Service' and SvcState == 'Running' 
| union SvcAStopped
| sort by TimeGenerated desc
| project Computer, SvcDisplayName, SvcState, TimeGenerated

As I have said we are doing union in both queries - basically just merging the two tables without having to match specific records.

 

I hope this answers your question.

 

Ruheena's avatar
Ruheena
Former Employee
Sep 05, 2019

Hi Stanislav_Zhelyazkov 

Thank you for your quick response, it is very helpful. I used 'join' in the query and seeing the expected results.

-Ruheena

 

Resources