Query to Get service Information of VM.

Akhila Nalluri · ‎01-30-2018

Hi,

I am trying to write a log search query which gives me the information about all the services that are stopped are started in services.msc for past 3 hours. I have tried to use ConfigurationChange after going through the documentation, but it seems to be deprecated. The logs are not a part of Event or Perf either. Can anyone guide me through this.

Thanks!

Evgeny Ternovsky · ‎01-31-2018

I don't have any data in my subscriptions around services starting and stopping, but looking for event 7036 (The %1 service entered the %2 state) in the events table might be one approach. Not sure if it gets routed to the Event or SecurityEvent table, so can do a

union Event, SecurityEvent | where EventId == 7036 | ...

Thanks,
-Evgeny

Akhila Nalluri · ‎01-31-2018

Thanks Evgeny. It is getting logged in Event Table with

Service Control Manager as Source. But there is a time delay of around 15 minutes from when the service state is changed to the data visible in OMS portal. So I missed out earlier.

I am trying to understand something else too. Some services are getting logged in ConfigurationChange Table and some are not like the below query worked for some services.

ConfigurationChange
| where ConfigChangeType == "WindowsServices"
| where SvcDisplayName == "Xbox Live Auth Manager"
| where SvcState == "Stopped"

Thanks,

Akhila

Stanislav Zhelyazkov · ‎01-31-2018

Hi

This article might help you as well:

Monitoring Windows Services States with Log Analytics