In event viewer, how would you view a service stop or start event?

Question

I am on a windows 11 pro workstation that is joined to an active directory integrated domain. I am having issues detecting the event with unique event ID 7036. This unique event tag is triggered whenever a service is started or stopped. I stop a service and start it and i go into my event viewer > windows logs > system and I look for this event and i don't see it. I then go ahead and check in application logs, security logs, setup logs, and in forwarded events and i still don't see it. I then created a custom log that has the all the source logs and i filter it to search for the unique event ID 7036 and still no luck. Its almost as if this event is not being logged. I then went and checked my local security policy and in security settings > local policies > audit policies > Audit system events, i made sure that success and failure are being logged. I then went ahead and enabled auditing for all policies in this location. I then went ahead and did a gpupdate /force and i did not see these polices change so that rules out that a domain policy is overwriting these settings. I then stopped a service and started it back up and still no luck. I do not see this event in my event viewer. Any insight as to what should be my next step would be greatly appreciated. Also if any clarification is needed feel free to ask.

Answer 1

If you don’t see it in System logs, the most likely causes are: the Service Control Manager (SCM) provider is disabled, the System log is full or overwritten too quickly, or domain GPOs have altered event logging behavior. Event 7036 comes from the Service Control Manager (SCM), not from Audit Policy. On Windows 11 desktop SKUs, 7036 events are not logged by default if the System log is set to only capture warnings/errors. Even if you enabled auditing locally, a domain‑level policy can override event logging configuration. Also, if your event viewer filter is scoped to “Critical/Warning/Error,” you won’t see 7036 because it is an Informational event.

So the key is to confirm the SCM provider is enabled and that the System log is configured to capture informational events.

1. Check System Log Settings
   • In Event Viewer, right‑click System → Properties.
   • Ensure Enable logging of Information events is checked.
   • Increase the log size (e.g., 64 MB) and set it to Overwrite events as needed.
2. Verify SCM Provider
   • Open an elevated PowerShell and run: powershell

          wevtutil gp System | findstr /i "Service Control Manager"
     

   • This confirms whether the SCM provider is enabled. If disabled, re‑enable with: powershell

If you find this information useful to some extent, please accept the answer so that your experience with the issue would help contribute to the whole community. Thank you :)

Vivian

Answer 2

Hi Xavier Gonzalez,

Has your issue been solved? If it has, please accept the answer so that it could be spread further to those in need too. If not, is there anything I can help you with? Please let me know. :)

Vivian

Answer 3

That last time I looked at this, I could not find a way to get those events generated. But that was years ago.

Depending on the root issue that you need to solve, one option would be to use Powershell to monitor the status of services.

$Prior = Get-Service | Select-Object -Property DisplayName, Status
while ($true) {
    Start-Sleep -Seconds 5
    $Current = Get-Service | Select-Object -Property DisplayName, Status
    Compare-Object $Prior $Current -Property DisplayName,Status | foreach {
        if ($_.SideIndicator -eq "=>") {
            "{0} - {1} - {2}" -f (get-date), $_.Status, $_.DisplayName
        }
    }
    $Prior = $Current
}

Answer 4

Good day Xavier Gonzalez,

Your were right, but the real issue here is that event 7036 is an informational event, and on Windows 10/11 Pro joined to a domain, these behaviors are often suppressed by default through Event Log channel configuration or Group policy. That’s why you don’t see them even though services are starting and stopping. You need to explicitly configure the System log to capture informational events and confirm no domain GPO is filtering them out.

VP

Answer 5

You have to register the source.

$log = "Application" 
$Source = "ServiceStateWatcher" 
# Check if our source is registered
if ([System.Diagnostics.EventLog]::SourceExists($Source) -eq $false) {
    "Registering source $Source"
    New-EventLog -LogName $log -Source $Source
}
"{0} - {1} starting." -f (get-date), $Source
Write-EventLog -LogName $log -Source $Source -EventId 1800 -EntryType Information -Message "Script is starting." -Category 0
$Prior = Get-Service | Select-Object -Property DisplayName, Status
while ($true) {
    Start-Sleep -Seconds 5
    $Current = Get-Service | Select-Object -Property DisplayName, Status
    Compare-Object $Prior $Current -Property DisplayName,Status | foreach {
        if ($_.SideIndicator -eq "=>") {
            "{0} - {1} - {2}" -f (get-date), $_.Status, $_.DisplayName
            if ($_.Status -eq "Running") {
                $id = 1801
            } elseif ($_.Status -eq "Stopped") {
                $id = 1802
            } else {
                $id = 1803
            }
            Write-EventLog -LogName $log -Source $Source -EventId $id -EntryType Information -Message $("{0} is {1}" -f $_.DisplayName, $_.Status) -Category 0 
        }
    }
    $Prior = $Current
}

You can write your own Service Control Manager events into the System eventlog...

Write-EventLog -LogName System -Source "Service Control Manager" -EntryType Information -EventId 1800 -Category 0 -Message "Admin Script started"

But they look like this.