Solved

How can I find out who turned off a service?

Posted on 2004-04-29
5
197 Views
Last Modified: 2013-12-04
Someone apparently looged into one of my companies servers and turned off the Veritas Backup service and my Exchange job failed, where can I find exactly who did this.  Thanks all...

Sorry to sound like a newbie, but I want to get a really accurate answer to this question as well as any short cuts or suggesstions  from folks who are experienced investigators of this type of scenario.
0
Comment
Question by:copio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 100 total points
ID: 10948218
copio
Unless you have "privelidge use" auditing switched on the server in question, it is impossible to tell.


Cheers

JamesDS
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 150 total points
ID: 10948277
Well, it's easier if you have some sort of system logging/auditing enabled, which isn't, by default, I'm afraid.
However, if you have a time range in mind - and if they did it locally, you should be able to match up the security logs from your server's EventVwr with the time an administrative account logged on.

But backing up a bit - what makes you think someone actually stopped it?  BE services crap out sometimes.  Have you checked the eventvwr system logs and application logs for anything related to Backup Exec?  Perhaps an error log was generated - also check %systemroot%\drwtsn32.log or %systemroot%\system32\drwtsn32.log (I forget exactly where it's stored - so performa search).

If you're using Windows 2000 or above, you can also check the Recovery tab to have it restart after a failure (but you probably already know this).

Which service exactly was it?
0
 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 150 total points
ID: 10948423
HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Event Log View EVT - analysis tool for rapid search through 64 archived logs
http://www.engagent.com/products/productsinfo.asp?product=event+log+view+evt

Sentry II enables you to manage and monitor your Windows NT/2000/XP/2003 event logs.
http://www.engagent.com/products/productsinfo.asp?product=Event+Log+Sentry

Proactively Monitor, Alert and Recover critical applications, servers and infrastructure equipment
http://www.ipmonitor.com/

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:copio
ID: 10949413
Everyone provided great feedback, thank you all for your assisatance.  The service that was tunred off was the Backup Exec Agent on a remote Exchange server.  And I couldn't locate who the culprit was, but I wil put into place some of the suggestions given here to prevent this in the future. Thanks.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967102
:o) Glad we could help you - thank you for the points
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question