Window's Service set to manual startup, but automatically starting

Question

I have a very strange thing happening on a Windows 10 machine.

I have a Windows service that is set startup manually. I wrote a script that starts the service when on the desktop. Basically a net start thing.

What happens is when I Log-off then log back on, the service automatically starts. I am using a "ForceAutoLogon" which bounces me off the logon screen right back in to windows, but it doesn't affect any of my other Windows 10 machines running the same service.

How is this possible? Has anyone seen anything like this before? Is there some setting in Windows or service that is preserving the state of the service?

Answer 1

Event Viewer used to record information about the start of each service (https://stackoverflow.com/a/496675/704977), but apparently does not any longer.

Instead, you should be able to audit the security for a specific service using the Security Templates tool: http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services

1. Open MMC and add a snap-in.
2. Choose the Security Templates snap-in and add it to the Console.
3. Create a new template and give it a name.
4. Open the new template, double-click on System Services to view a list of the services on your computer.
5. Double-click the troublesome Oculus service and click to enable Define this policy setting in the template.
6. Click Edit Security.
7. Click Advanced.
8. Click Auditing.
9. Click Add.
10. Click Select a principal, make sure From this location is set to your computer, enter everyone, and click OK.
11. Select Start, stop and pause under Basic Permissions.
12. Click OK.

Now you'll right-click on the template and save it.

Next, add the Security Configuration and Analysis snap-in to the console, open (or create) a database, and import the template you just created into the database.

Now you'll be able to look in the Security Log for Event ID 560 indicating a success audit when the Object Name is the short name of the service you're tracing, and the logged accesses include the Start and Stop commands sent to that service.

Answer 2

This is a bug (or a hidden setting in windows). I have a service that I only start from the command line that is set to manual but Windows starts it if it was running when I shut down. It may be caused by that irritating fast boot thing that saves the PC state and does not do a proper reboot. I believe Microsoft forced this on users to discourage dual boot systems with Linux and Windows 10.