1

I have a very strange thing happening on a Windows 10 machine.

I have a Windows service that is set startup manually. I wrote a script that starts the service when on the desktop. Basically a net start thing.

What happens is when I Log-off then log back on, the service automatically starts. I am using a "ForceAutoLogon" which bounces me off the logon screen right back in to windows, but it doesn't affect any of my other Windows 10 machines running the same service.

How is this possible? Has anyone seen anything like this before? Is there some setting in Windows or service that is preserving the state of the service?

Andy
  • 111
  • 1
  • 4
  • Which service is this? – music2myear Jan 06 '17 at 22:08
  • Also, what is the exact trigger you describe as "when on the desktop"? Is that a scheduled task that runs when the desktop loads, or simply a script that you have saved in a file on your desktop that you intend to run manually? – music2myear Jan 06 '17 at 22:09
  • 1
    Something demands the service. [What is the difference between “manual” and “disabled” service in Windows?](http://superuser.com/q/285997/432690) – Kamil Maciorowski Jan 06 '17 at 22:15
  • @music2myear - Oculus Rift service. And, `net start` is run from a bat file... from the desktop by double-click. I have started the service, gone in to services, disabled the service completely, then logoff-logon and it starts right back up. It will be in the service list as disabled, but running. – Andy Jan 06 '17 at 22:26
  • Have you checked if there is a program running each time to the computer is started (not a service) that is starting the service? Look for any Oculus Rift-related applications that start with each logon. – music2myear Jan 06 '17 at 22:30
  • @music2myear -- Yes... I have Autoruns installed and went through that entire list. This is a fresh windows10 install on a new alienware/dell SKU. So maybe there is something that Alienware/Dell installed? I tried removing all their crap-ware, but the problem still persists. No other SKU in my building has this issue. – Andy Jan 06 '17 at 22:36
  • If the service is not started (but set to manual in service app), then log off/on... it doesn't start. That's what's puzzling. It only starts if it was started before the logoff occurs. – Andy Jan 06 '17 at 22:38

2 Answers2

1

This is a bug (or a hidden setting in windows). I have a service that I only start from the command line that is set to manual but Windows starts it if it was running when I shut down. It may be caused by that irritating fast boot thing that saves the PC state and does not do a proper reboot. I believe Microsoft forced this on users to discourage dual boot systems with Linux and Windows 10.

AriesConnolly
  • 11
  • 1
0

Event Viewer used to record information about the start of each service (https://stackoverflow.com/a/496675/704977), but apparently does not any longer.

Instead, you should be able to audit the security for a specific service using the Security Templates tool: http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services

  1. Open MMC and add a snap-in.
  2. Choose the Security Templates snap-in and add it to the Console.
  3. Create a new template and give it a name.
  4. Open the new template, double-click on System Services to view a list of the services on your computer.
  5. Double-click the troublesome Oculus service and click to enable Define this policy setting in the template.
  6. Click Edit Security.
  7. Click Advanced.
  8. Click Auditing.
  9. Click Add.
  10. Click Select a principal, make sure From this location is set to your computer, enter everyone, and click OK.
  11. Select Start, stop and pause under Basic Permissions.
  12. Click OK.

Now you'll right-click on the template and save it.

Next, add the Security Configuration and Analysis snap-in to the console, open (or create) a database, and import the template you just created into the database.

Now you'll be able to look in the Security Log for Event ID 560 indicating a success audit when the Object Name is the short name of the service you're tracing, and the logged accesses include the Start and Stop commands sent to that service.

Community
  • 1
music2myear
  • 40,472
  • 44
  • 86
  • 127