How to find out what process issued a windows service start?
 

Hello,

I would like to find out what process starts a particular windows service (msiserver to be exact).

I mean not in the sense whats is the parent process, this is always services.exe

but which process called some API that resulted in the SCM starting the service.

It seams in win 7 and such there was a Event Log Event created by the SCM for that: https://stackoverflow.com/questions/496632/is-it-possible-to-log-who-started-or-stopped-a-windows-service
but in windows 10 its no longer present. :confused:

Any ideas?

hook the RPC server in services.exe?

Sounds tricky, could you please point me in the direction of a guide or how-to for that task.

Process Monitor filtered for OpenServiceA/W as referenced here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicea which contains the service name as a string followed by watching for StartServiceA/StartServiceW as reference here: https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea which only takes a less readable service handle should work for this purpose. Hooking RPC server sounds like a far more complicated route :D. I am surprised some registry settings or such somewhere do not exist to enable this still in Win10.

A quick example though it is in java-
You'd need to do the same for services.exe

here is a tutorial with demo source code, but in Chinese
https://bbs.pediy.com/thread-251158.htm

If the service starts automatically on boot, you may try
"autoruns" published by www.sysinternals.com

Any english version of the tutorial?

Yes, try Google Chrome or use Google Translate !

@DavidXanatos :
Deactivative "MSIserver" and, normally, the process you find will send you a message...