Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Monitoring a service for State and StartMode
Published Mar 12 2019 04:45 PM 818 Views
Microsoft

First published on TECHNET on Aug 09, 2008

I recently had a customer that wants to get an alert when a specific service is not Disabled and/or not Stopped.  I used the following steps to accomplish this using a "Timed Script Three State Monitor".  Even if you do not have this specific need, these steps can be used as a template for creating a monitor that uses a script to query WMI and change state or generate alerts based on the results.  If you don't have a need for three states (Critical, Warning, Healthy), there is a Two State Monitor that can be used for this.

 

 

 

Create a new Monitor, select Scripting\Generic\Timed Script Three State Monitor

 

 

 

 

 

Give it a name, target, etc. (I targeted the Windows Computer class, but Windows Operating System may be a better choice).  I try to make a habit of unchecking "Monitor is enabled" and enabling it with an override later....at least while testing it:

 

 

 

 

 

 

Set the schedule...this just depends on how quickly you want to know if the service gets changed:

 

 

 

 

Next, I used a basic VB script which accepts a service name as a parameter, queries WMI for the service, and puts the Service Name, State (Running, Stopped, etc.), and StartMode (Disabled, Manual, Automatic) into property bag values.  The full text of the script is below the screenshot:

 

 

 

 

---------------------------------------------------------------------------------------------------

 

Dim oAPI, oBag,strComputer
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
set oArgs=wscript.arguments
strComputer="."
ServName=oArgs(0)

Set namespace=GetObject("winmgmts:\\"& strComputer & "\root\cimv2")
set servinfo=namespace.ExecQuery("select * from win32_service where name =" & """" & servname & """")

for each objservice in servinfo

Call oBag.AddValue("ServiceName",ServName)
Call oBag.AddValue("State",objservice.State)
Call oBag.AddValue("StartMode",objservice.StartMode)
Call oAPI.Return(oBag)

next

---------------------------------------------------------------------------------------------------

For the script parameter, I just enter "ServiceName"....this will be replaced by an override later, or you can just enter your service name here:

Next, I set the "Unhealthy", "Degraded", and "Healthy" expressions for the monitor.  My goal is to set the state to Warning when the service is Stopped but NOT Disabled , Critical when it is NOT Stopped, and Healthy when it is Stopped AND Disabled.  I used the following expressions:

Unhealthy Expression:

Parameter Name: Property[@Name='State']

Operator: Does not equal

Value: Stopped

Degraded Expression:

Parameter Name: Property[@Name='StartMode']

Operator: Does not equal

Value: Disabled

 

AND

 

Parameter Name: Property[@Name='State']

Operator: Equals

Value: Stopped

 

 

 

Healthy Expression:

 

Parameter Name: Property[@Name='StartMode']

Operator: Equals

Value: Disabled

 

AND

 

Parameter Name: Property[@Name='State']

Operator: Equals

Value: Stopped

 

 

 

Next, I used the default settings for Health State, since they already match what I want to do:

Next, I configure the alert settings.  The settings in the screen shot below will generate a Warning alert when the monitor is in a Warning state (service is not Disabled), and a Critical alert when the monitor is in the Critical state (service is not Stopped).  The Alert Description will have the service name (using the ServiceName property created by the script):

Now that I have the monitor created, I need to enable it and set the Override for the Service Name:

I'm using the Alerter service for my test:

To test the monitor, I first set the Alerter service to Manual Startup and leave it stopped:

Then I verify that I get the Warning alert:

Health Explorer correctly shows the "Degraded" Warning state:

Now I want to test the Critical state, so I start the Alerter Service:

Now the alert is changed to Critical:

And Health Explorer shows the "Unhealthy" Critical state:

 

 

When I stop the service and disable it, the alert is auto-resolved and the state is changed back to Healthy:

 

 

 

 

 

 

I've attached my sample MP which includes the following monitors:

 

Service disabled and stopped - two-state monitor:

If the specified service is not Stopped AND Disabled, the computer will be put in a Warning state and a Warning alert will be generated.  When the service is stopped and disabled, the computer will be put in a Healthy state.

Service disabled and stopped - three-state monitor:

If the specified service is Stopped and is not Disabled, the computer will be put in a Warning state and a Warning alert will be generated.  If the specified service is not Stopped, the computer will be put in a critical state and a Critical alert will be generated.  When the service is stopped and disabled, the computer will be put in a Healthy state.

Usage:

Both monitors are targeted at the Windows Computer class and roll up to the Configuration Health.  Both monitors are disabled by default.  They are configured to check the service every 1 minute.  To enable one of the monitors, add an Override for the Computer or Group you wish to monitor and set the following Override parameters:

Enabled=True

Script Arguments = <Service Name>

 

 

Enjoy!!

 

Service.Monitor.MP.xml

Version history
Last update:
‎Feb 20 2020 10:35 AM
Updated by: