Services on Windows 2012 R2 shutdown with no indication

We currently have an issue where several Windows 2012 R2 services which are unrelated all just shutdown with no error or reason in the Windows event logs, services are a software inventory service, SQL services, VMware tools service, sql browser service, and several server detection and monitoring services.
Looking for a way to trap this. How can we trap or identify what or how a service is shutting down on a Windows server with no indication of any error in our event logs?
mlhcab777Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robin CMSenior Security and Infrastructure EngineerCommented:
You can run a task when the service control manager detects the service has stopped, event 7036, param2 = stopped.
SQL should write some info to its own text logs when it shuts down, e.g. the errorlog contains something like this:
2015-04-23 01:26:21.28 Server      SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.

Open in new window

The errorlog is found in this (rough) location:
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log
(depends on your version of SQL Server)
mlhcab777Author Commented:
Nothing in the logs other than the service has stopped. We are trying to find a too that will tell us "why" it stopped. Nothing in the event logs other than it stopped. We don't know why?
Robin CMSenior Security and Infrastructure EngineerCommented:
What did the SQL log say? Per my example above, it seems to usually give a reason as to why it is stopping.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

mlhcab777Author Commented:
It's not just SQL services, it also is other servers not related to SQL. They just stop with no indication at all.
Robin CMSenior Security and Infrastructure EngineerCommented:
The reason for getting you to check the SQL log is that SQL logs will give you a reason as to why SQL has shut down, which might well be the same reason the other services are stopping - or might at least give you a clue. Hence why I posted the example log text above where SQL states that it is shutting down because of a system shutdown.
mlhcab777Author Commented:
I have my SQL guys on that, there is no indication in the SQL log as to the "why".
Robin CMSenior Security and Infrastructure EngineerCommented:
You could try disabling the Windows Update service for a few days and see if that has any effect. Could be trying to install to install product updates. You should see evidence of this in the logs.
Do they stop totally randomly, or can you predict when it is going to happen?
Robin CMSenior Security and Infrastructure EngineerCommented:
Have you tried working around it by setting the service recovery actions to restart the service?

I assume you are getting the Service Control Manager events in the System Event Log when each service stops?
Robin CMSenior Security and Infrastructure EngineerCommented:
Perhaps we should enable auditing and sift through the junk that creates.
It will tell you who stopped the service, which might be worth the effort.
It's a little fiddly, and I've been trying to find an article to save me having to write it all out (!).
This one kinda gives you enough, but you'll have to hunt for some of the bits as they've changed slightly. http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services
Note the bit about enabling "Audit object access" for success at the bottom.
Then you're looking for event 4656 in the Security event log, where the ObjectName attribute is the name of the service that has been stopped. I suggest using the Details Friendly view as its easier to see the ObjectName, then switch to the General view to check the Accesses.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.