How to log windows services being triggered

Generic Retard

Generic Retard

kiwifarms.net
Joined
Jan 31, 2021
So I have this problem with my gaming machine (Win10).
It can freeze up completely (no bsod) sometimes, like once a month.
Usually it will happen while or shortly after me playing Overwatch (maybe relevant, maybe not).
The last thing in the event log is an elevated logon from service.exe, probably starting up some service which was triggered by something.
(No events from the Service Manager, so nothing about starting a service or the name of said service).

The audit logon event is so close to the crash (like within the minute), that it can't be a coincidence.
How do I find out which service was triggered?
Why is windows so shit with logging?

If you search this shit you only get SEO grifts or Pajeets answering shit nobody asked on the Microsoft sites...
I am thankful for any hints you have.
 
  • Like
  • Informative
Reactions: Toolbox, Suikafag and m1ddl3m4rch
You could forward the syslog events from your machine to an evidence collector. There are FOSS SIEM solutions that you can run on your own hardware. You'd want to dump the logs every couple days because it will take up a lot of space, but you could actually see the event logs. There is a community (free) edition of nxlog that you would just put on your gaming machine, edit the configs to send to a collector machine on your LAN (just point to standard ports of UDP/TCP 514, and UDP 515 for syslog, and TCP 515 for json).
 
Had a similar story with my first PC, it just randomly froze with no warning. Turns out my GPU was the culprit.

First I would suggest double-checking things hardware related like the RAM or expansion cards. Maybe clean the contacts? Have you tried swapping your GPU out?
 
Gatdam Animal Person said:
Had a similar story with my first PC, it just randomly froze with no warning. Turns out my GPU was the culprit.

First I would suggest double-checking things hardware related like the RAM or expansion cards. Maybe clean the contacts? Have you tried swapping your GPU out?
Click to expand...
No external GPU, RAM was tested the first time this occured.
As for expansion cards there is only WiFi and a PCI-E SSD (which came after the problem manifested).
No events around the time of the freeze (more than 10s of minutes off) other than that logon audit...
 
  • Informative
Reactions: Gatdam Animal Person
Not exactly what you asked but if I had to wager a guess I'd suspect the power supply. Try agressively shifting loads with CPU and GPU stress tests, preferably both at the same time. If you can reproduce the crashes you might as well replace it at that point.
 
  • Thunk-Provoking
Reactions: Generic Retard
AmpleApricots said:
Not exactly what you asked but if I had to wager a guess I'd suspect the power supply. Try agressively shifting loads with CPU and GPU stress tests, preferably both at the same time. If you can reproduce the crashes you might as well replace it at that point.
Click to expand...
I can try that.
It's not entirely impossible, but still the freezes happen only with Overwatch and I think (now I remember) once with DMC V.
Although load shifting should not have been the case. DMC V was while menuing IIRC and all the Overwatch ones were either alt+tabbing in or just after closing (like 1-2 minutes after).
On the other hand. The freezes also often come while it is late at night over here and I have suspected some kind of Windows Update service to be at fault.
(Update came in yesterday, the times before a new update came in a few days later).

The old inscription keep telling me to just reinstall the OS, because Windows shits it's pants after a few years anyway.
So maybe that's the solution if the PSU is healthy.
 
If it only happens when playing certain games, maybe it's a GPU driver issue. Try doing a clean install of the latest drivers.
 
  • Agree
Reactions: Smaug's Smokey Hole
Generic Retard said:
I can try that.
It's not entirely impossible, but still the freezes happen only with Overwatch and I think (now I remember) once with DMC V.
Although load shifting should not have been the case. DMC V was while menuing IIRC and all the Overwatch ones were either alt+tabbing in or just after closing (like 1-2 minutes after).
On the other hand. The freezes also often come while it is late at night over here and I have suspected some kind of Windows Update service to be at fault.
(Update came in yesterday, the times before a new update came in a few days later).

The old inscription keep telling me to just reinstall the OS, because Windows shits it's pants after a few years anyway.
So maybe that's the solution if the PSU is healthy.
Click to expand...
Could be related to DRM(Denuvo in DMC5) or anti-cheat(??? in Overwatch) fucking something up when releasing their grip on windows.

But update iGPU drivers AND chipset/wifi/storage drivers. Are you on an AMD platform?
 
Smaug's Smokey Hole said:
Could be related to DRM(Denuvo in DMC5) or anti-cheat(??? in Overwatch) fucking something up when releasing their grip on windows.

But update iGPU drivers AND chipset/wifi/storage drivers. Are you on an AMD platform?
Click to expand...
Yeah AMD Ryzen APU :)
Can play almost everything decently for the cost of a PS4. Everything is up to date, will see how the latest updates do (had updated before but maybe the problem is gone who knows).

I suspect the former as well and that is getting some service to fail horribly when triggered. But I can't see which service it is that gets called 10s-30s before freeze.
 
Generic Retard said:
Yeah AMD Ryzen APU :)
Can play almost everything decently for the cost of a PS4. Everything is up to date, will see how the latest updates do (had updated before but maybe the problem is gone who knows).

I suspect the former as well and that is getting some service to fail horribly when triggered. But I can't see which service it is that gets called 10s-30s before freeze.
Click to expand...
I suspected that. There's sometimes (for reasons I don't understand but I have experienced it both recently and in the past) problems with those and it is driver related or related to updates or a combination of the two. You can buy four identical Ryzen laptops at the same time, let them install and update next to each other in the same room and one might have weird crashes related to games while the others are perfectly fine. And it is not a hardware problem.

Uninstall drivers, update drives, try older drivers, never let Windows touch or update anything related to GPU/APU drivers so take a peek at device manager from time to time - in my experience when you find the thing that works the problem will be gone forever, even when using future driver versions. It's like kicking something back into alignment.
 
  • Informative
Reactions: Generic Retard
I've had that happen, it's the fucking ATI driver every time. It's also a hard crash, you can't just win ctrl shift b to reboot it.

Updating drivers does not fix it, rolling drivers back does not fix it.
 
  • Informative
Reactions: Generic Retard
ZipDisk said:
I've had that happen, it's the fucking ATI driver every time. It's also a hard crash, you can't just win ctrl shift b to reboot it.

Updating drivers does not fix it, rolling drivers back does not fix it.
Click to expand...
Did you get a log from the drivers, or an event I can check?
Because I can't see what's causing it exactly.
 
It's something like ATIRX and then a bunch of gibberish, if you look at it in your event viewer it should start up about 10 seconds before your crashes.
I believe it's logged as an application error.

It used to happen to me at least once a week. Another thing to check is to make sure the bullshit adrenaline software is shut off, because that thing pulls nonsense in the background constantly.

The last time it happened to me it wasn't even a game, I was watching sopranos clips on youtube.

I don't have the exact name right now because I just did a 10 reinstall.
 
  • Feels
Reactions: Smaug's Smokey Hole
service.exe? That's interesting, because in Windows 10 services are ran through an executable called svchost.exe, service.exe sounds oddly generic and also it's not found anywhere in Windows 10. Therefore it's either a virus or it comes from some other software. Use this to find that service.exe file.
 
  • Like
  • Agree
  • Thunk-Provoking
Reactions: Smaug's Smokey Hole, Toolbox, ⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛ and 1 other person
Slav Power said:
service.exe? That's interesting, because in Windows 10 services are ran through an executable called svchost.exe, service.exe sounds oddly generic and also it's not found anywhere in Windows 10. Therefore it's either a virus or it comes from some other software. Use this to find that service.exe file.
Click to expand...
this...

and as others said, try fucking with the drivers to see if it's fixed.

It should be noted that you can log every process that starts. I assume that would include services. See:

For other logging information, check out

And if the regular windows logging isn't enough, you can do some crazy stuff with sysmon.
 
  • Informative
  • Like
Reactions: Smaug's Smokey Hole, Toolbox and Generic Retard
Last edited:
Generic Retard said:
It's called serviceS.exe, it's not a Virus. I just made a mistake.

This looks exactly like what I need, thanks!

Edit:
It seems to work.
I have to listen for 2 creation events though:
services.exe calls svchost.exe which then calls up the service
Click to expand...
Good news. With what you enabled.. is that giving you the full command line svchost is called with (i.e. the name of the actual service being called)?
 
3119967d0c said:
Good news. With what you enabled.. is that giving you the full command line svchost is called with (i.e. the name of the actual service being called)?
Click to expand...
Nah, I wish.
It just tells me which process spawns which, no parameters.
But there is a second event logging the next call.
 
Generic Retard said:
Nah, I wish.
It just tells me which process spawns which, no parameters.
But there is a second event logging the next call.
Click to expand...
You should be able to enable this through
gpedit.msc
Administrative Templates > System > Audit Process Creation > set Include Command Line in Process Creation Events to enabled.
then run
gpupdate /force

Run both as Administrator obv
 
  • Informative
Reactions: Smaug's Smokey Hole
You must log in or register to reply here.
Back