Need a script that send a mail each time a user stops or disables a service.

You can use an event trigger


How to use Eventtriggers.exe to send e-mail based on Event IDs

more here:


http://www.computerperformance.co.uk/Logon/VBScript/eventtriggers.htm

I think the event Id that you would set the trigger for would be 7035 (...service was successfully sent a stop control)

Wow... stunned.... didn't know that one existed, have always done this with MOM etc. or the hard way with VBScripts scanning the logs periodically.  Will have to try this, thanks!

Steve

Any service or a particular service?

Hi AT a particular service
Sophos Anti Virus service

Of course you could always just stop the user being able to stop/start services by taking away their admin rights... then allow them if required to stop/start via a different user user account which they run from a batch file... stops/starts the service and sends the required email...

Like Amazingtech says.... what do you want to watch?  And if the user has rights to stop/start services they will most likely have rights to stop anything you put on there to watch them...

Yes the users have the permissions thats why we need to monitor if they Stop or disable. As we have already warned all not to do so.

Just put it in the HR terms and conditions that they must not change their computer configuration and take any admin rights away :-)

Admin rights are a must for there product installations... -(

the event triggers will help you to narrow down who's doing it ;-)

Hey check this out. This is ultra cool...

Any service monitoring for now. Can add email later.

You can monitor a remote computer too from your workstation by changing the strcomputer.

Original script can be found here:
http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true

I rem'd 1 line.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colMonitorProcess = objWMIService.ExecNotificationQuery _
 ("SELECT * FROM __InstanceModificationEvent WITHIN 1" & _
 "WHERE TargetInstance ISA 'Win32_Service'") 
WScript.Echo "Waiting for service to be modified ..."
REM Set objLatestEvent = colMonitorProcess.NextEvent
 
Do
Set objLatestEvent = colMonitorProcess.NextEvent
Wscript.Echo VbCrLf & "Service Name: " & objLatestEvent.TargetInstance.Name
Wscript.Echo "Status: " & objLatestEvent.TargetInstance.State
Wscript.Echo "Startup Type: " & objLatestEvent.TargetInstance.StartMode
Wscript.Echo "Time: " & Now
Loop

Select allOpen in new window

You can try applying compatws.inf security template and then take away admin rights
 
http://support.microsoft.com/kb/269259 

Sorry my link didn't take you directly to the MS page.

http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true

Click on Scripting Techniques - Events and Monitoring - Monitor Service Modification Events

dragon-it:

Click on Logs - Event Logs - Monitor Event Logs in Real Time

Hi AT...

Should i save this file as a scheduled scan or in the startup...

Easiest would be to have it start in a logon script.

Or create a GPO User logon script to start it.

You might want to add ON ERROR RESUME NEXT to the first line of the code.

This is meant to be run on all computers by the user. It will run silently in the background waiting for the Sophos service to change. I will assume the service is already started when the user logs on.

Thank you.... :-)

Hi AT i need to add 6 services to monitor. What should i add in the script.?

I think this should do it.

Add as many Case "ServiceName" as you want.

Set ws = WScript.CreateObject ( "WScript.Shell" )
strComputer = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colMonitorProcess = objWMIService.ExecNotificationQuery _
 ("SELECT * FROM __InstanceModificationEvent WITHIN 1" & _
 "WHERE TargetInstance ISA 'Win32_Service'") 
Set cdoMail = CreateObject("CDO.Message")
Set cdoConf = CreateObject("CDO.Configuration")
 
cdoMail.Subject = "Sophos Anti Virus Alert Mail"
cdoMail.From = "FROM@CO.COM"
cdoMail.To = "TO@CO.COM"
 
sch = "http://schemas.microsoft.com/cdo/configuration/"
 
cdoConf.Fields.Item(sch & "sendusing") = 2
cdoConf.Fields.Item(sch & "smtpserver") = "SMTPFORYOURENVIRONMENT"
cdoConf.Fields.Item(sch & "smtpserverport") = 25
cdoConf.Fields.Item(sch & "smtpauthenticate") = 0
cdoConf.Fields.Update
 
Set cdoMail.Configuration = cdoConf
 
cdoMail.Fields.Item("urn:schemas:mailheader:X-MSMail-Priority") = "High" ' For Outlook 2003
cdoMail.Fields.Item("urn:schemas:mailheader:X-Priority") = 2 ' For Outlook 2003 also
cdoMail.Fields.Item("urn:schemas:httpmail:importance") = 2 ' For Outlook Express
 
Do
Set objLatestEvent = colMonitorProcess.NextEvent
 
select case objLatestEvent.TargetInstance.Name
    case "Sophos"
        SendMail=True
 
    case "Spooler"
        SendMail=True
 
    case else
        SendMail=False
End Select 
 
If SendMail Then
    cdoMail.TextBody = VbCrLf & "Computer Name: " & strComputer
    cdoMail.TextBody = cdoMail.TextBody & VbCrLf & "Service Name: " & objLatestEvent.TargetInstance.Name
    cdoMail.TextBody = cdoMail.TextBody & VbCrLf & "Status: " & objLatestEvent.TargetInstance.State
    cdoMail.TextBody = cdoMail.TextBody & VbCrLf & "Startup Type: " & objLatestEvent.TargetInstance.StartMode
    cdoMail.TextBody = cdoMail.TextBody & VbCrLf & "Time: " & Now
    cdoMail.Fields.Update
 
    cdoMail.Send
End If
Loop

Select allOpen in new window

Thank U AT
Any help on this..If time permits
https://www.experts-exchange.com/questions/24920359/Code-that-runs-on-a-machine-and-find-Mp3-files-that-are-renamed-need-help-extending-them.html
https://www.experts-exchange.com/questions/24901137/Record-the-last-run-scheduled-task-time-into-a-UNC-txt-file.html