cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Query for Window Services State when one service is running and other one is stopped

Ruheena
Microsoft

‎Sep 04 2019 04:10 PM - last edited on ‎Apr 08 2022 10:06 AM by

‎Sep 04 2019 04:10 PM - last edited on ‎Apr 08 2022 10:06 AM by

Query for Window Services State when one service is running and other one is stopped

Hi,

I am trying to write a query to get results when ‘Service A’ is in running state and ‘Service B’ is in stopped state. I am getting 0 results when I am sure that it is not correct. Below is the query 

Event
| where EventLog == ‘System’ and EventID == 7036 and Source == ‘Service Control Manager’
| parse kind=relaxed EventData with * ” Windows_Service_Name ” Windows_Service_State ” *
| where Windows_Service_Name == “Service A” and Windows_Service_State == “running”
| where Windows_Service_Name == “Service B” and Windows_Service_State == “stopped”
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

 

Appreciate your response.

Thanks to @Stanislav Zhelyazkov for his blog which helped me getting started with the query.

Labels:
2,870 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Ruheena (Microsoft)
Stanislav Zhelyazkov

‎Sep 04 2019 10:25 PM

‎Sep 04 2019 10:25 PM

Solution

Re: Query for Window Services State when one service is running and other one is stopped

Hi@Ruheena 

I believe the example query on the blog post is the following:

Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

I currently do not have env to test the data but in order to do what you want to do you have to create two separate queries  and join or unify the results. I assume that by your request it is unification rather join. The query will be the following:

let ServiceARunning = Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service A' and  Windows_Service_State == 'running';
Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service B' and  Windows_Service_State == 'stopped' | union ServiceARunning
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Additionally if you have Change Tracking solution enabled you might want to use that as it has as low as 30 seconds of gathering data for stopped/started services.

The example would be:

let SvcAStopped = ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Windows Error Reporting Service' and SvcState == 'Stopped';
ConfigurationChange 
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Network Setup Service' and SvcState == 'Running' 
| union SvcAStopped
| sort by TimeGenerated desc
| project Computer, SvcDisplayName, SvcState, TimeGenerated

As I have said we are doing union in both queries - basically just merging the two tables without having to match specific records.

 

I hope this answers your question.

 

0 Likes
Reply
Ruheena

‎Sep 05 2019 10:04 AM

‎Sep 05 2019 10:04 AM

Re: Query for Window Services State when one service is running and other one is stopped

Hi @Stanislav Zhelyazkov 

Thank you for your quick response, it is very helpful. I used 'join' in the query and seeing the expected results.

-Ruheena

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ruheena (Microsoft)
Stanislav Zhelyazkov

‎Sep 04 2019 10:25 PM

‎Sep 04 2019 10:25 PM

Solution

Re: Query for Window Services State when one service is running and other one is stopped

Hi@Ruheena 

I believe the example query on the blog post is the following:

Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

I currently do not have env to test the data but in order to do what you want to do you have to create two separate queries  and join or unify the results. I assume that by your request it is unification rather join. The query will be the following:

let ServiceARunning = Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service A' and  Windows_Service_State == 'running';
Event
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| where Windows_Service_Name == 'Service B' and  Windows_Service_State == 'stopped' | union ServiceARunning
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Additionally if you have Change Tracking solution enabled you might want to use that as it has as low as 30 seconds of gathering data for stopped/started services.

The example would be:

let SvcAStopped = ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Windows Error Reporting Service' and SvcState == 'Stopped';
ConfigurationChange 
| where ConfigChangeType == "WindowsServices" and SvcDisplayName == 'Network Setup Service' and SvcState == 'Running' 
| union SvcAStopped
| sort by TimeGenerated desc
| project Computer, SvcDisplayName, SvcState, TimeGenerated

As I have said we are doing union in both queries - basically just merging the two tables without having to match specific records.

 

I hope this answers your question.

 

View solution in original post

0 Likes
Reply