ProblemYou want to view the startup history of a service to determine whether it has had problems starting successfully. SolutionEvery time a service is started or stopped a message is logged to the Application event log. Using a graphical user interface
Using a command-line interfaceThe following command displays all the 7035 and 7036 events that pertain to a particular service. This isn't very efficient because all 7035 and 7036 events are retrieved and piped to a second qgrep command to only display the ones we are interested in. Unfortunately, you cannot perform pattern matching of the event message with the eventquery command. > eventquery /v /L system /FI "ID eq 7036 or ID eq 7035" | qgrep -e "The <ServiceDisplayName> service" Using downloadable softwareYou can accomplish something similar with the Sysinternals psloglist command, but you need to do it in two steps to retrieve the two different event IDs: > psloglist -s -i 7035 system | qgrep -e "The <ServiceDisplayName> service" Here is an example: > psloglist -s -i 7036 system | qgrep -e "The DNS Client service" Using VBScript' This code displays the startup history of a service ' ------ SCRIPT CONFIGURATION ------ strService = "<ServiceDisplayName>" ' e.g. Windows Installer strLog = "<EventLogName>" ' e.g. System strComputer = "<HostName>" ' e.g. fs-rtp01 (use . for local system) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colEvents = objWMI.ExecQuery _ ("Select * from Win32_NTLogEvent " & _ " Where Logfile = '" & strLog & "' " & _ " and ( EventCode = '7036' or EventCode = '7035' ) " & _ " and Message like 'The " & strService & " service %'") set objDate = CreateObject("WbemScripting.SWbemDateTime") for each objEvent in colEvents objDate.Value = objEvent.TimeWritten Wscript.Echo objDate.GetVarDate & ":" & objEvent.Message next DiscussionIn the command line and VBScript solutions, you need to know the service display name in order to find the start and stop events. To get that, you can view it either in the Services snap-in or by running the sc query command. |