ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Services management console displaying service configurations and Event Viewer on multiple monitors
Event ID 7040InformationService Control ManagerWindows

Windows Event ID 7040 – Service Control Manager: Service Start Type Changed

Event ID 7040 fires when a Windows service start type is modified through Service Control Manager, Group Policy, or programmatic changes. Critical for security auditing and change tracking.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 7040Service Control Manager 5 methods 12 min
Event Reference

What This Event Means

Event ID 7040 represents one of the most important service-related events in Windows logging. When the Service Control Manager processes a request to change a service's start type, it immediately generates this event before applying the change. The event contains comprehensive details including the service name, the previous start type value, the new start type value, and the security context of the account that initiated the change.

The start type values logged in this event correspond to specific Windows service startup behaviors: Automatic (2), Automatic Delayed (2), Manual (3), and Disabled (4). Understanding these values is essential for interpreting the event data correctly. The event also includes the process ID and thread ID of the requesting process, which can be valuable for forensic analysis.

From a security perspective, Event ID 7040 serves as a critical audit trail for service modifications. Attackers often attempt to disable security services like Windows Defender, Windows Firewall, or audit logging services to evade detection. Monitoring this event helps security teams identify such attempts and respond appropriately. In enterprise environments, this event is frequently forwarded to Security Information and Event Management (SIEM) systems for centralized monitoring and alerting.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually changing service start type through Services MMC console
  • PowerShell commands like Set-Service modifying service startup configuration
  • Group Policy enforcement changing service start types across domain computers
  • Software installation or uninstallation processes modifying dependent services
  • System Configuration Utility (msconfig) changes to startup services
  • Third-party system management tools altering service configurations
  • Windows Update or feature updates changing default service settings
  • Malware attempting to disable security-related services
  • Registry modifications directly changing service start type values
  • Automated scripts or scheduled tasks managing service configurations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 7040 to understand what service was changed and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 7040 in the Event IDs field and click OK
  5. Double-click on recent Event ID 7040 entries to view details
  6. In the event details, note the service name, old start type, new start type, and the user account
  7. Check the Details tab for additional information including process ID and security identifier

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=7040} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: The message field contains the service name and start type changes in human-readable format, making it easy to identify which services were modified.
02

Correlate Service Changes with User Activity

Investigate who made the service changes and correlate with other security events to determine if the changes were authorized.

  1. From the Event ID 7040 details, note the User field showing who made the change
  2. Navigate to Windows LogsSecurity in Event Viewer
  3. Filter for Event ID 4656 (handle to object was requested) around the same time
  4. Look for corresponding logon events (Event IDs 4624, 4625) for the user account
  5. Check if the changes occurred during normal business hours or maintenance windows

Use PowerShell to correlate events by time and user:

# Get service changes from the last 24 hours
$ServiceChanges = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7040; StartTime=(Get-Date).AddDays(-1)}

# Extract user information from each event
$ServiceChanges | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $ServiceName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'param1'} | Select-Object -ExpandProperty '#text'
    $User = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'param5'} | Select-Object -ExpandProperty '#text'
    [PSCustomObject]@{
        Time = $_.TimeCreated
        Service = $ServiceName
        User = $User
        Message = $_.Message
    }
}
Warning: Service changes by SYSTEM account during boot are normal, but changes by user accounts outside maintenance windows may indicate unauthorized activity.
03

Verify Current Service Configuration

Confirm the current state of services that were modified and ensure they align with organizational security policies.

  1. Open Services by pressing Win + R, typing services.msc, and pressing Enter
  2. Locate the service mentioned in the Event ID 7040 log entry
  3. Right-click the service and select Properties
  4. Check the current Startup type setting on the General tab
  5. Verify if the current setting matches your organization's security baseline
  6. Document any services that are not configured according to policy

Use PowerShell to audit all service start types:

# Get all services and their start types
Get-Service | Select-Object Name, Status, StartType | Sort-Object Name

# Check specific security-related services
$SecurityServices = @('Windefend', 'MpsSvc', 'Eventlog', 'Audiosrv')
Get-Service $SecurityServices | Select-Object Name, Status, StartType, DisplayName

Compare against your security baseline using registry values:

# Check service start type in registry
$ServiceName = 'YourServiceName'
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$ServiceName"
Get-ItemProperty -Path $RegPath -Name Start -ErrorAction SilentlyContinue
Pro tip: Start type values in the registry are: 2=Automatic, 3=Manual, 4=Disabled. Compare these with your security policies to identify deviations.
04

Implement Service Change Monitoring

Set up proactive monitoring to detect unauthorized service changes in real-time and create alerts for critical services.

  1. Open Task Scheduler by pressing Win + R, typing taskschd.msc, and pressing Enter
  2. Click Create Task in the Actions pane
  3. Name the task "Service Change Monitor" and set it to run with highest privileges
  4. On the Triggers tab, click New and select On an event
  5. Set Log to System, Source to Service Control Manager, and Event ID to 7040
  6. On the Actions tab, create a PowerShell script action to send alerts

Create a PowerShell monitoring script:

# Service change monitoring script
$CriticalServices = @('Windefend', 'MpsSvc', 'Eventlog', 'WinRM', 'BITS')

# Register for Event ID 7040
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='System' AND EventCode=7040" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $Message = $Event.Message
    
    # Check if critical service was modified
    foreach ($Service in $CriticalServices) {
        if ($Message -like "*$Service*") {
            # Send alert (email, SIEM, etc.)
            Write-EventLog -LogName Application -Source "ServiceMonitor" -EventId 1001 -EntryType Warning -Message "Critical service $Service was modified: $Message"
        }
    }
}

Configure Windows Event Forwarding for centralized monitoring:

# Enable WinRM for event forwarding
Enable-PSRemoting -Force
winrm quickconfig -force

# Create custom event forwarding subscription
wecutil cs ServiceChangeSubscription.xml
Pro tip: Use Group Policy to deploy event forwarding subscriptions across your domain to centralize Event ID 7040 monitoring on a collector server.
05

Forensic Analysis and Remediation

Perform detailed forensic analysis when unauthorized service changes are detected and implement remediation procedures.

  1. Export relevant events for forensic analysis using Event Viewer
  2. Navigate to Windows LogsSystem
  3. Right-click and select Save All Events As
  4. Save as EVTX format for detailed analysis
  5. Use additional tools to correlate with other security events

Advanced PowerShell forensic analysis:

# Comprehensive service change analysis
$StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7040; StartTime=$StartTime}

# Parse and analyze events
$Analysis = $Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $Data = $EventXML.Event.EventData.Data
    
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ServiceName = ($Data | Where-Object {$_.Name -eq 'param1'}).'#text'
        OldStartType = ($Data | Where-Object {$_.Name -eq 'param2'}).'#text'
        NewStartType = ($Data | Where-Object {$_.Name -eq 'param3'}).'#text'
        ProcessName = ($Data | Where-Object {$_.Name -eq 'param4'}).'#text'
        UserAccount = ($Data | Where-Object {$_.Name -eq 'param5'}).'#text'
        ProcessId = $_.ProcessId
        ThreadId = $_.ThreadId
    }
}

# Group by user to identify patterns
$Analysis | Group-Object UserAccount | Sort-Object Count -Descending

Remediate unauthorized changes:

# Restore service to secure configuration
$ServiceName = "YourCompromisedService"
Set-Service -Name $ServiceName -StartupType Automatic
Start-Service -Name $ServiceName

# Verify the change
Get-Service $ServiceName | Select-Object Name, Status, StartType
Warning: Before restoring services, ensure you understand the business impact. Some service changes may be legitimate and reverting them could cause system instability.

Overview

Event ID 7040 is generated by the Service Control Manager whenever a Windows service's start type is modified. This event fires when services are changed from automatic to manual, disabled to automatic, or any other start type combination. The event captures the service name, previous start type, new start type, and the user account that made the change.

This event is particularly valuable for security auditing and change management in enterprise environments. It helps administrators track unauthorized service modifications, troubleshoot service startup issues, and maintain compliance with security policies. The event appears in the System log and includes detailed information about what changed and who initiated the change.

Service start type changes can occur through multiple vectors: the Services MMC snap-in, PowerShell commands, Group Policy enforcement, third-party management tools, or malicious software attempting to disable security services. Understanding this event is crucial for maintaining system security and operational stability in Windows environments.

Frequently Asked Questions

What does Event ID 7040 mean and why is it important?+
Event ID 7040 indicates that a Windows service's start type has been changed. This event is crucial for security monitoring because attackers often disable security services like Windows Defender or Windows Firewall to evade detection. The event logs the service name, old start type, new start type, and the user who made the change, providing a complete audit trail for service modifications.
How can I tell if Event ID 7040 represents a security threat?+
Look for several indicators: changes to critical security services (Windefend, MpsSvc, Eventlog), modifications by unexpected user accounts, changes occurring outside maintenance windows, or services being disabled rather than reconfigured. Also check if the changes correlate with other suspicious activities like failed logon attempts or unusual process execution. Changes made by SYSTEM during boot are typically normal, while user-initiated changes require investigation.
Which services should I monitor most closely for Event ID 7040 changes?+
Focus on security-critical services: Windows Defender Antivirus Service (Windefend), Windows Firewall (MpsSvc), Windows Event Log (Eventlog), Windows Remote Management (WinRM), Background Intelligent Transfer Service (BITS), and Windows Update (wuauserv). Also monitor any custom security software services, backup services, and monitoring agents. These services are commonly targeted by malware and attackers attempting to disable security controls.
Can I prevent unauthorized service changes that trigger Event ID 7040?+
Yes, use several approaches: implement Group Policy to control service configurations and prevent unauthorized changes, use Service Control Manager permissions to restrict who can modify services, deploy Privileged Access Management (PAM) solutions to control administrative access, and configure Windows Defender Application Control or AppLocker to prevent unauthorized tools from running. Additionally, use just-in-time administrative access and regularly audit service permissions.
How do I set up automated alerts for critical Event ID 7040 occurrences?+
Create a Windows Task Scheduler task triggered by Event ID 7040, use PowerShell with Register-WmiEvent to monitor for service changes in real-time, configure Windows Event Forwarding to send events to a central collector, or deploy SIEM solutions that can parse and alert on specific service changes. You can also use PowerShell scripts that check for changes to critical services and send email notifications or write to custom event logs for further processing.
Documentation

References (2)

1
Microsoft Learn - Windows Event Log ReferenceOfficial Microsoft documentation covering Windows event logging architecture and event reference information.https://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging-reference
2
Microsoft Docs - Service Control Manager EventsComprehensive documentation about the Service Control Manager and related system events including service state changes.https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-7040#service-control-manager#windows-security

Related Windows Events

Windows Services management console and Event Viewer displaying service monitoring information on server room monitors
Event 7023
Service Control Manager
Windows EventError

Windows Event ID 7023 – Service Control Manager: Service Terminated with Error

Event ID 7023 indicates a Windows service terminated unexpectedly with an error code. This critical event requires immediate investigation to identify failing services and prevent system instability.

March 1812 min
Windows Services management console displaying service status and error indicators on server monitoring dashboard
Event 7023
Service Control Manager
Windows EventError

Windows Event ID 7023 – Service Control Manager: Service Terminated with Error

Event ID 7023 indicates a Windows service has terminated unexpectedly with an error code. This critical event requires immediate investigation to identify failing services and prevent system instability.

March 1812 min
Windows Services console and Event Viewer displaying service monitoring and system event logs
Event 7031
Service Control Manager
Windows EventError

Windows Event ID 7031 – Service Control Manager: Service Terminated Unexpectedly

Event ID 7031 indicates a Windows service has terminated unexpectedly and will be restarted. This critical event helps identify service stability issues and potential system problems.

March 1812 min
Windows Services management console displayed on professional monitoring setup in server control room
Event 7000
Service Control Manager
Windows EventError

Windows Event ID 7000 – Service Control Manager: Service Failed to Start

Event ID 7000 indicates a Windows service failed to start during system boot or manual startup attempts. This critical error requires immediate investigation to identify the failing service and underlying cause.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...