Service Monitoring events do not contain the "WHO" information for Windows 2008\R2 servers (74904)

Service Monitoring events do not capture the "WHO" information from Windows 2008\R2 servers. Only Windows 2003 capture this information.

This is a product limitation currently as Windows 2008\R2 System logs do not display the user information in the EventID 7036. Windows 2003 has EventID 7035 which contains the Initiator information.

WORKAROUND:

None.

STATUS:

Issue is resolved in ChangeAuditor version 5.7+.

For Service Monitoring we cannot capture "Origin" information when services are stopped\started remotely. This is a product limitation as the System event logs do not contain any information pertaining to the location where the change occurred from.