Review Services Start and Stop times via Windows Event Log And Powershell


Weeks ago, one of our critical applications experienced a down time because SQL Server did not auto-start post application of Windows Patches.

Over the weekend, new patches were applied and unfortunately I am just now reviewing the SQL Instances to make sure everything is good this time.

Better late than never is a silly excuse.

But, I really do have to close this Service Now ticket that requests the DBA validation; we have already exceeded our SLA.


MS Windows Event Log is not so flexible for text searches.  I am able to filter on specific categories, but forget about it when it comes to looking for just specific services start and down times.

It is easy enough to do if I issue Transact SQL Queries or just looking at datetime stamps of sql server errorlog files.

But, I wanted an excuse to script services start and stop times

I really looked old and sluggish and it took a lot longer than it should.

But, here is what we have thus far.




Here are images of the data


Detail – XML


  1. EventData
    • EventData – param1
      • SQL Server (MSSQLServer)
    • EventData – param2
      • running


# define parameters

# log system to target

# provider name
$providerName="Service Control Manager"

#event ID

# only return entries that have sql in their name

# use wilcard *message*
$messageWildcard=[string]::Concat($CHAR_WILDCARD, $message, $CHAR_WILDCARD);

# gete events use wilcard *message*
$events = Get-WinEvent -FilterHashtable @{LogName=$logName; ProviderName=$providerName; ID=$eventID} | 
			where {$_.Message -like $messageWildcard} |
			Sort-Object -Property TimeCreated -Descending 

#alternate filtering mechanism
$eventSQL = $events | where {$_.Message -like $messageWildcard};

#if data returned
if ($eventSQL) {

	#Add Service Name to object property list
	$eventSQL | Add-Member -Name 'serviceName' -Type NoteProperty -Value "";
	#Add Service Status to object property list	
	$eventSQL | Add-Member -Name 'serviceStatus' -Type NoteProperty -Value "";

	# Parse out the event message data            
	ForEach ($eventObj in $eventSQL) {  
		# Convert the event to XML            
		$eventObjXML = [xml]$eventObj.ToXml()            
		# Iterate through each one of the event Data fields
		# get handle to event // eventData // Data	
		For ($i=0; $i -lt $eventObjXML.Event.EventData.Data.Count; $i++) {            
			# get handle to event // eventData // Data // Name	
			$itemName = $eventObjXML.Event.EventData.Data[$i].name;
			# get handle to event // eventData // Data // Text
			$itemValue = $eventObjXML.Event.EventData.Data[$i].'#text';
			# if attribute name is param1, we are fetching the service name
			if ($itemName -eq "param1")
				$eventObj.serviceName = $itemValue;
			# if attribute name is param2, we are fetching the service state
			elseif ($itemName -eq "param2")
				$eventObj.serviceStatus = $itemValue;
		} ## for event data
	} ## move to next event object           
	## display data
	$eventSQL | Select-Object TimeCreated, Message, serviceName, serviceStatus | Format-List



Nothing original here as can be deduced by the many people listed in the References section.

Having acknowledged so, it still amazes how many people put in so much work and happily package it in such a way that someone else can feel comfortable following behind.

For some of us it takes a lot longer, yet we know we know we will get there someday; as there is proof others did.


Source Code Control


Availed on GitHub here.


  1. Microsoft | Technet
    1. Ashley McGlone
      • PowerShell Get-WinEvent XML Madness: Getting details from event logs
  2. Microsoft | Developer Network
    • JuanPablo Jofre
  3. Microsoft | Technet
    • The Scripting Guys
      • Use FilterHashTable to Filter Event Log with PowerShell
  4. PoshCode: PowerShell Code Repository
    • Cameron Wilson
      • Get-LatestEventFromAllLogs
  5. Mike F Robbins
    • PowerShell: Filter by User when Querying the Security Event Log with Get-WinEvent and the FilterHashTable Parameter
  6. Josh Ancel
    • Filter Event Log on Message string using PowerShell
  7. Colleen Morrow
    • Parsing Windows event logs with PowerShell
  8.  Netwrix
    • Russell Smith
      • Advanced Event Log Filtering Using PowerShell
  9. Techrepublic
    • Greg Shultz
      • How to extend your event log search capabilities with PowerShell’s Get-EventLog cmdlet
  10. 4SysOps
    • Luc Fullenwarth
    • Using Get-WinEvent to look at Windows Event Log

SQL Server – Reporting Services – Connecting Locally – Day 1


Hardening security via applying SSL Certs on a couple of Reporting Services Hosts and wanting to test them on same host, but “No Go“.



Windows Event Viewer

Checked Windows Event Viewer


Security – Headers


  1. Event ID = 4625
    • Keywords :- Audit Failure
    • Source :- Microsoft Windows Security auditing
    • Event ID :- 4625
    • Task Category :- Logon

Security – Details



  1. Event ID = 4625
    • Security ID :- NULL SID
    • Logon Type :- 3
      • Logon Type 3 is Network
    • Status :- 0xC000006D
    • Event ID :- 4625
    • Task Category :- Logon


Basically, we were prompted thrice to enter our username and password. But, unable to connect.



Internet Explorer

Checked to make that we are still unable to connect when we run in Administrator Mode.

Task Manager

To verify that IE is running in Administrator mode launched Task Manager and included the “Elevated” attribute.

Select Columns




For each IE Session, we are seeing two processes.
Why two processes each time we start a new IE Session?





There are a couple of options and those are:

  1. BackConnectionHostNames
  2. DisableLoopbackCheck




Launch regedit and access the registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0”.

Search for BackConnectionHostNames

Add all FQDN that the server’s resource will be self referred to.
Each entry should be entered in its own line.

  1. Type :- REG_MULTI_SZ
  2. Data :- ????


Adding Entry

Entry Added




Launch regedit and access the registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa“.

Search for DisableLookback.

Make sure it exists as:

  1. Type :- REG_DWORD
  2. Data :- 1



Script – BackConnectionHostNames

@echo off
@echo on

set "_registryBranch=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
set "_registryItem=BackConnectionHostNames"
set "_registryDataType=REG_MULTI_SZ"

rem ****************************************************************************************
rem please change to match your domain name
rem ****************************************************************************************
set ""

set "_registryValue=%COMPUTERNAME%.%_domainName%"

echo "Value - Current"
reg query %_registryBranch% /v %_registryItem%

reg add %_registryBranch% /v %_registryItem% /t %_registryDataType% /d %_registryValue% /f

echo "Value - New"
reg query %_registryBranch% /v %_registryItem%

Script – DisableLoopbackCheck

@echo off
rem set "_registryBranch=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
set "_registryBranch=HKLM\SYSTEM\CurrentControlSet\Control\Lsa"
set "_registryItem=DisableLoopbackCheck"
set "_registryDataType=REG_DWORD"
set "_registryValue=1"

echo "Value - Current"
reg query %_registryBranch% /v %_registryItem%

reg add %_registryBranch% /v %_registryItem% /t %_registryDataType% /d %_registryValue% /f

echo "Value - New"
reg query %_registryBranch% /v %_registryItem%


This problem is nothing.  It has been in the OS since Windows 2003.

And, so I suppose it is not really a problem, I just wished it was surfaced differently; than having to type my password thrice and still can’t get in.



  1. Microsoft
    • Microsoft Support
      • You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
  2. Nik Patel
    • Disable the Loopback Check for Specific Host Names on all SharePoint Web and Application Servers
  3. Michael Hanes
    • Use BackConnectionHostNames instead of DisableLoopbackCheck in production
    • DisableLoopbackCheck & SharePoint: What every admin and developer should know

BFGuard – Day 2


In this post we actually start BFGuard and try to connect to the host from other workstations.


Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time


Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time


BF Guard – Application – Log entrys

  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes


BF Guard – Application – Blocked IP

  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked


OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.


Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625


  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon


OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.



  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes



Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.