Share via

Service audit log

  • Article

Question

Thursday, June 25, 2020 3:56 AM

Hi All,

i was up doing something in event viewer. Was checking particularly for window services. May i know did you guys ever come across on the audit log where we can determine which user account has do start or stop services,

best regard

All replies (6)

Tuesday, June 30, 2020 6:25 AM ✅Answered

Thanks Daisy,

I've done the given instruction but I'm still unable to track which user has done changes for the services. even when i simulate the issue myself still unable to find the log. Perhaps i'm not sure on where the log store.

Please guide me on this

Wednesday, July 8, 2020 10:55 AM ✅Answered

Hi,

I am sorry for the late reply.

After my research and test, we also need to configure the following policy settings:

Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit Handle Manipulation and Audit Other Object Access Events

And we can see the event ID 4656 on the machine who start or stop the specific service (im my case, it is DNS Client).

Hope the information is helpful, if anything is unclear, please feel free to let us know.

References:
How to configure Windows to log / audit Qlik Services for the user that performed a start, stop and restart command 
https://support.qlik.com/articles/000058520

4656(S, F): A handle to an object was requested.
/en-us/windows/security/threat-protection/auditing/event-4656

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, June 26, 2020 6:42 AM

Hello,
Thank you for posting in our TechNet forum.

We can do as below: edit the Default Domain policy, navigate to

Computer Configuration->Policies->Windows Settings->Security Settings->System Services, locate the service you want to audit, and define its policy settings by clicking on Edit Security button, which will display Security dialog box. Click on Advanced and define Auditing settings from there.

For example,

Enable audit NetLogon service as below:

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, July 10, 2020 2:29 AM

Hi,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, July 10, 2020 10:04 AM

Hi Daisy,

Thanks for the help, i am able to capture and track the services log

Friday, July 10, 2020 10:41 AM

Hi,
Thank you for your update and marking my reply as answer. I’m very glad that the information is helpful.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.