http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspxThis is the latest quest of the day. I am appealing to all those that have a great handle on how Windows events happen and whether or not they are kept or just logged. If you get an event in the Event Viewer that indicates that "Service Control Manager"enCommunityServer 2.1 SP2 (Build: 61129.1)http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspx#7778Thu, 10 Jul 2008 19:25:51 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:7778Cooper<p>Is SQL Server clustered?</p> http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspx#7784Fri, 11 Jul 2008 11:40:48 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:7784alphatross<p>It's not perfect (and only works if the culprit had an interactive logon to the server), but here's what I do: find an event for an RDP logon from around the same time, or another event that has the IP address of the originating server. Then a command like &quot;nbtstat -a &lt;IP-Address&gt;&quot; will show the user who is logged on that Machine. Another option is to mine through the Security Log for Logon/ Logoff Events around the time the Service was stopped. Still, it's bad that the service control event doesn't show who stops a service, isn't it!</p> http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspx#7818Mon, 14 Jul 2008 06:06:54 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:7818Vishal Gandhi<p>Look in System Log, Copy the entire details and post it , you &nbsp;will notice user , will this help ? </p> <p>Event Type: Information</p> <p>Event Source: Service Control Manager</p> <p>Event Category: None</p> <p>Event ID: 7035</p> <p>Date: 7/14/2008</p> <p>Time: 1:02:02 AM</p> <p>User: vishalgandhi</p> <p>Computer: xxxxxxxxxxxx</p> <p>Description:</p> <p>The SQL Server (MSSQLSERVER) service was successfully sent a stop control.</p> <p>For more information, see Help and Support Center at <a rel="nofollow" target="_new" href="http://go.microsoft.com/fwlink/events.asp">http://go.microsoft.com/fwlink/events.asp</a>.</p> http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspx#24121Wed, 07 Apr 2010 13:24:23 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:24121Raymond<p>Vishal Gandhi - excellent advice - thanks we found our culprit.</p> http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspx#32370Thu, 06 Jan 2011 06:09:46 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:32370Arpita<p>vishal@ thank you </p> <p>it really good post and really works.</p> http://sqlblog.com/blogs/ben_miller/archive/2008/07/10/finding-out-who-stopped-sql-server.aspx#40568Wed, 21 Dec 2011 11:38:31 GMT21093a07-8b3d-42db-8cbf-3350fcbf5496:40568Mikhail<p>Event Type: Information</p> <p>Event Source: Service Control Manager</p> <p>Event Category: None</p> <p>Event ID: 7035</p> <p>Date: 21.12.2011</p> <p>Time: 2:31:28</p> <p>User: NT AUTHORITY\SYSTEM</p> <p>Computer:c-sadmksad</p> <p>The SQL Server Agent (***) service was successfully sent a stop control.</p> <p>For more information, see Help and Support Center at <a rel="nofollow" target="_new" href="http://go.microsoft.com/fwlink/events.asp">http://go.microsoft.com/fwlink/events.asp</a>.</p> <p>We see tha user = system, but how we can recognize process name which called stop command ?</p>