Recipe 10.23. Viewing the Startup History of a Service


Problem

You want to view the startup history of a service to determine whether it has had problems starting successfully.

Solution

Every time a service is started or stopped a message is logged to the Application event log.

Using a graphical user interface

  1. Open the EventCombMT utility (eventcombmt.exe).

  2. Right-click on the Select To Search/Right To Add box and select Add Single Server.

  3. Enter the server name, click Add Server, and click Close.

  4. Highlight the server by clicking on it.

  5. Under Choose Log Files to search, be sure that System is selected.

  6. Under Event Types, select only Informational.

  7. Beside Event IDs, enter 7035 7036

  8. Beside Text, enter the display name of the service (e.g., The Windows Installer service).

  9. Click the Search button.

  10. A Windows Explorer window should pop up containing a file with the output of the search. Double-click on the file to view the results.

Using a command-line interface

The following command displays all the 7035 and 7036 events that pertain to a particular service. This isn't very efficient because all 7035 and 7036 events are retrieved and piped to a second qgrep command to only display the ones we are interested in. Unfortunately, you cannot perform pattern matching of the event message with the eventquery command.

> eventquery /v /L system /FI "ID eq 7036 or ID eq 7035" | qgrep -e "The <ServiceDisplayName> service"

Using downloadable software

You can accomplish something similar with the Sysinternals psloglist command, but you need to do it in two steps to retrieve the two different event IDs:

> psloglist -s -i 7035 system | qgrep -e "The <ServiceDisplayName> service"

Here is an example:

> psloglist -s -i 7036 system | qgrep -e "The DNS Client service"

Using VBScript
' This code displays the startup history of a service ' ------ SCRIPT CONFIGURATION ------ strService = "<ServiceDisplayName>" ' e.g. Windows Installer strLog = "<EventLogName>"           ' e.g. System strComputer = "<HostName>"        ' e.g. fs-rtp01 (use . for local system) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colEvents = objWMI.ExecQuery _              ("Select * from Win32_NTLogEvent " & _               " Where Logfile = '" & strLog & "' " & _               "   and ( EventCode = '7036' or EventCode = '7035' ) " & _               "   and Message like 'The " & strService & " service %'") set objDate = CreateObject("WbemScripting.SWbemDateTime") for each objEvent in colEvents    objDate.Value = objEvent.TimeWritten    Wscript.Echo objDate.GetVarDate & ":" & objEvent.Message next

Discussion

In the command line and VBScript solutions, you need to know the service display name in order to find the start and stop events. To get that, you can view it either in the Services snap-in or by running the sc query command.



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net