Geoff Chappell, Software Analyst
Although services are Win32 programs, they typically do not interact with the graphical user interface. Indeed, they are discouraged from doing so and Windows Vista does not even permit them to. For users to know what has happened with services, entries in the Event Log are especially important. It may help to have an overview. There are, of course, events that can be logged by particular services, if they get to execute, but attention here is confined just to events that are logged by the Service Control Manager (SERVICES.EXE). These are valuable for showing what was intended from the system’s perspective, e.g., as a record of why a particular service didn’t get to run.
In Windows Vista, SERVICES is actually three event providers:
| Provider | Log |
|---|---|
| Service Control Manager | System |
| Microsoft-Windows-Services | Microsoft-Windows-Services/Diagnostic |
| WdiContextLog | |
| Service Control Manager Trace | SCM |
Most conspicuous is that SERVICES writes to the System log. Indeed, it is by far the most active contributor to that log in typical conditions. SERVICES also writes to an analytic log which is listed in the Event Viewer but is not ordinarily enabled (and is not easily enabled). Finally, there is a large amount of WPP Software Tracing which is hard-coded to run at startup. This captures a very detailed record of SERVICES’s execution, but the collected data is ordinarily going to be understood only by Microsoft’s own programmers who have the SERVICES source code for reference.