I was doing some fault finding, and I've discovered two services which should be set to automatic have been set to disabled.
What is the best way to find out who did this? It could be someone from my company, or it could be someone client-side. It would be enough to determine the user account.
I've had a look in the Windows Event Viewer, but, to be honest, I'm not sure what I'm looking for, and there is a lot to work through. Nothing has jumped out at me, but I suspect it's just that I don't know what I'm looking for.
Best Answer
When the start type of a service is changed, an event is recorded in the system event log , with id 7040 and source Service Control Manager.
The user that performed the operation is displayed in the event (obfuscated in the screen shot below).
So you have to find those events in your event logs; hopefully you will directly have the user name.
If it is a generic user name, such as "administrator", then it's time to stop using generic account, and you'll have to correlate the date / time of the event with other info you could get from other log (like: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational which can give you the source IP of a remote desktop session)