7.12. Viewing the Startup History of a Service

Problem

You want to view the startup history of a service. Every time a service is started or stopped, a message is logged to the Application event log.

Solution

Using a graphical user interface

  1. Open the EventCombMT utility (eventcombmt.exe).

  2. Right-click on the Select To Search/Right To Add box and select Add Single Server.

  3. Enter the server name, click Add Server, and click Close.

  4. Highlight the server by clicking on it.

  5. Under Choose Log Files to search, be sure that System is selected.

  6. Under Event Types, select only Informational.

  7. Beside Event IDs, enter 7035 7036

  8. Beside Text, enter the display name of the service (e.g., The Windows Installer service).

  9. Click the Search button.

  10. A Windows Explorer window should pop up containing a file with the output of the search. Double-click on the file to view the results.

Using a command-line interface:

The following command displays all the event 7035 and 7036 events that pertain to a particular service. This isn't very efficient because all 7035 and 7036 events are retrieved and piped to a second qgrep command to display only the ones we are interested in. Unfortunately, you cannot perform pattern matching of the event message with the eventquery command.

> eventquery /v /L system /FI "ID eq 7036 or ID eq 7035" | qgrep -e "The 
<ServiceDisplayName> service"

You can accomplish something similar with the psloglist command, but you need to do it in two steps to retrieve the two different event ids:

> psloglist ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.