Can I monitor services for changes in specific properties?

Pls try this:

Re-enable only this audit policy.

Delete the Auditpol.exe scheduled task.

That should do the trick.

Undo the settings shown in the screenshot and try this:

Run:

auditpol /set /subcategory:"Registry" /success:enable

And then open Regedit.exe and go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Right-click "Services" → Permissions

Click Advanced.

Select "Auditing"

Click "Add"

Add "Everyone".

Expand special permissions and enable "Set value" (and perhaps "Delete"). Uncheck all other boxes.

Click OK, OK, OK to close all dialogs.

If the other user is going to change the service configuration using SC.exe or Services MMC, the user name will be shown as SYSTEM, because it's the service controller that powers the operation.

Unless the user changes the setting directly in the registry, event logs can't capture the user name who did the change.

What you can do is attach an event trigger to the event 4657 and write a script that will parse the last event 4657 and also write the currently logged-on user name. The script can output the event to a custom event log or a file.

Here's a sample VBScript you can attach as an event trigger to 4657.

Set objNetwork = CreateObject("Wscript.Network") 

Set WshShell = CreateObject("WScript.Shell") 

sCmd = """" & "The current user is " & objNetwork.UserName & " - " & now & """" 

sCmd = "cmd.exe /c echo " & sCmd  & " >>c:\windows\temp\events.log" 

WshShell.run sCmd, 0 

sCmd = "cmd.exe /c wevtutil qe " & """" & "Security" & """" & _ 

" /q:" & """" & "*[System[(EventID=4657)]]" & """" & " /c:1 /f:text /rd:true >>c:\windows\temp\events.log" 

WshShell.run sCmd, 0 

It's a crude script without any error handling or anything. I posted it for demostration purposes. However, you can add the necessary features to it easily.

When a user changes the service configuration, event 4657 is logged, triggering the above VBScript file. The VBS logs the entry to C:\Windows\Temp\Events.log by appending the file.

Here's a sample event logged into the Events.log file:

"The current user is ramesh - 2/25/2023 11:23:29 PM"

Event[0]:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2023-02-25T23:23:28.0300000Z

Event ID: 4657

Task: Registry

Level: Information

Opcode: Info

Keyword: Audit Success

User: N/A

User Name: N/A

Computer: OptiPlex-9020

Description:

A registry value was modified.

---

Subject:

Security ID: S-1-5-21-1792754669***********

Account Name: ramesh

Account Domain: OPTIPLEX-9020

Logon ID: 0x8AEF9B0

---

Object:

Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeFlashPlayerUpdateSvc

Object Value Name: ObjectName

Handle ID: 0x3cc

Operation Type: Existing registry value modified

---

Process Information:

Process ID: 0x1038

Process Name: C:\Windows\regedit.exe

---

Change Information:

Old Value Type: REG_SZ

Old Value: sdf

New Value Type: REG_SZ

New Value: LocalSystem

******************

Sample event #2

"The current user is ramesh - 2/25/2023 11:32:30 PM"

Event[0]:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2023-02-25T23:32:29.7150000Z

Event ID: 4657

Task: Registry

Level: Information

Opcode: Info

Keyword: Audit Success

User: N/A

User Name: N/A

Computer: OptiPlex-9020

Description:

A registry value was modified.

---

Subject:

Security ID: S-1-5-18

Account Name: OPTIPLEX-9020$

Account Domain: WORKGROUP

Logon ID: 0x3E7

---

Object:

Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeFlashPlayerUpdateSvc

Object Value Name: ObjectName

Handle ID: 0x88c

Operation Type: Existing registry value modified

---

Process Information:

Process ID: 0x398

Process Name: C:\Windows\System32\services.exe

---

Change Information:

Old Value Type: REG_SZ

Old Value: s

New Value Type: REG_SZ

New Value: LocalSystem

---

I hope that fits the bill perfectly. Let me know.

Hi Dear,

thanks for update,

I think you have already trying, just confirm

In the Event Viewer, "Windows Logs" in the left pane, and then select "Security" from the sub-menu.

In the right pane, you can click on the "Filter Current Log" option under the "Actions" menu.

In the "Event ID" field, type "4657" (which is the event ID for changes to object permissions) and click on the "OK" button.

Now, the log will display only the events related to changes in object permissions. To further filter the events based on your requirements, click on the "XML" tab at the bottom of the window.

In the XML tab, click on the "Edit" button, and then paste the following XML query:

<QueryList>

<Query Id="0" Path="Security">

  <Select Path="Security">

     \*[System[(EventID='4657')]]

     and

     \*[EventData[Data[@Name='ObjectName'] and (Data='SERVICE\_NAME')]]

     and

     \*[EventData[Data[@Name='Properties'] and (contains(Data,'SeChangeNotifyPrivilege'))]]

  </Select>

</Query>

</QueryList>

Replace "SERVICE_NAME" with the actual name of the service you want to monitor.

Click on the "OK" button to apply the filter.

Now, the log will display only the events related to changes in the "Log On As" property of the specified service. You can view the details of each event to see who changed the property, the name of the service, and the new value of the property.

EDIT:

Based on your updated information, it seems like you're looking for a more detailed and granular level of auditing for the specific service properties that are being changed.

n this case, I recommend you to use a third-party auditing tool that provides more advanced auditing capabilities.

One such tool is the Netwrix Auditor for Windows Services, which allows you to audit all changes to the Windows services, including changes to service accounts, service dependencies, and service startup types. The tool provides detailed audit trails that capture who made the change, when it was made, and what was changed, and it can generate reports that help you quickly identify and investigate any suspicious changes to the services.

Another option is to use PowerShell scripts to monitor and audit changes to the specific service properties that you're interested in. For example, you can use the Get-Service cmdlet to retrieve the current properties of the service, and then use the Set-Service cmdlet to set the auditing options for the specific properties that you want to monitor. You can also use the EventLog class in PowerShell to create custom event logs and write entries to the logs when specific events occur.

I think not will solve for you, but don't afraid, I can route to another experts help us!

Kind Regards,

R. Cord