Recipe7.12.Viewing the Startup History of a Service

Recipe 7.12. Viewing the Startup History of a Service

Problem

You want to view the startup history of a service. Every time a service is started or stopped, a message is logged to the Application event log.

Solution

Using a graphical user interface

1. Open the EventCombMT utility (eventcombmt.exe).

2. Right-click on the Select To Search/Right To Add box and select Add Single Server.

3. Enter the server name, click Add Server, and click Close.

4. Highlight the server by clicking on it.

5. Under Choose Log Files to search, be sure that System is selected.

6. Under Event Types, select only Informational.

7. Beside Event IDs, enter 7035 7036

8. Beside Text, enter the display name of the service (e.g., The Windows Installer service).

9. Click the Search button.

10. A Windows Explorer window should pop up containing a file with the output of the search. Double-click on the file to view the results.

Using a command-line interface:

The following command displays all the event 7035 and 7036 events that pertain to a particular service. This isn't very efficient because all 7035 and 7036 events are retrieved and piped to a second qgrep command to display only the ones we are interested in. Unfortunately, you cannot perform pattern matching of the event message with the eventquery command.

> eventquery /v /L system /FI "ID eq 7036 or ID eq 7035" | qgrep -e "The  <ServiceDisplayName> service"

You can accomplish something similar with the psloglist command, but you need to do it in two steps to retrieve the two different event ids:

> psloglist -s -i 7035 system | qgrep -e "The <ServiceDisplayName> service"

Here is an example:

> psloglist -s -i 7036 system | qgrep -e "The DNS Client service"

Using VBScript

' This code displays the startup history of a servce ' ------ SCRIPT CONFIGURATION ------ strService = "<ServiceDisplayName>" ' e.g., Windows Installer strLog = "<EventLogName>"           ' e.g., System strComputer = "<ServerName>"        ' e.g., fs-rtp01 (use . for local server) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colEvents = objWMI.ExecQuery _              ("Select * from Win32_NTLogEvent " & _               " Where Logfile = '" & strLog & "' " & _               "   and ( EventCode = '7036' or EventCode = '7035' ) " & _               "   and Message like 'The " & strService & " service %'") set objDate = CreateObject("WbemScripting.SWbemDateTime") for each objEvent in colEvents    objDate.Value = objEvent.TimeWritten    Wscript.Echo objDate.GetVarDate & ":" & objEvent.Message next

Discussion

In the command-line and VBScript solutions, you need to know the service display name in order to find the start and stop events. To determine the display name of a service, you can view it either in the Services snap-in or by running the sc query command.