1

We have a need to detect installation of new services on our application servers. These are Windows 2016 & 2019 servers. I decided to write and schedule a PS script that will run twice a day. This script will count the number of existing services in the morning. It will run again in the evening. If the services count is higher in the evening, it will create an entry in the event viewer log. This will be picked up by SCOM and alert generated.

This is what I have done so far:

    $Kaizen = (Get-Service | Measure.Object).Count
    $Vic = 800 #The 800 is just an arbitrary number used for testing purposes

    If($Vic -gt $Kaizen) 
       {
        Write-Eventlog -LogName "Windows Powershell" -Source 'Pwershell' -Entrytype Error 
        -EventId 45874 -Message "New Service detected"
       }

The above script works but I would prefer that I do not use static data as in $Vic. It is preferable that the script captures the services count in the morning, store it and reuse it for comparison purpose in the evening. Secondly, we need the script to include the name or description of the new service detected in the -Message.

FemiA
  • 13

1 Answers1

1

You can do better than counting the number of system services, by using the service-installation event.

The event to use is Event ID 7045: A new service was installed in the system :

A new service was installed by the user indicated in the subject. Subject often identifies the local system (SYSTEM) for services installed as part of native Windows components and therefore you can't determine who actually initiated the installation.

The event logs the following information:

Subject

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID

Service information

  • Service name
  • Service start type
  • Service account

Failure Information

  • Reason
  • Return code

Your PowerShell can consult the Event Viewer log. Alternatively, you may create an event trigger via the Task Scheduler that will call your script with all the details and either log or email them.

harrymc
  • 498,455