ConfigurationData 表的查询

最近停止的自动服务

显示已设置为“自动”但报告为已停止的最新服务。

ConfigurationData
| where ConfigDataType == "WindowsServices" and SvcStartupType == "Auto"
| where SvcState == "Stopped"
| summarize arg_max(TimeGenerated, *) by SoftwareName, Computer