ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Services console displaying service states and status information on a monitoring dashboard
Event ID 7036InformationService Control ManagerWindows

Windows Event ID 7036 – Service Control Manager: Service State Change Notification

Event ID 7036 records when Windows services change state (start, stop, pause, continue). Generated by Service Control Manager to track service lifecycle events across all Windows systems.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 7036Service Control Manager 5 methods 9 min
Event Reference

What This Event Means

Event ID 7036 represents the Service Control Manager's method of logging service state transitions throughout the Windows operating system. When any service changes from one operational state to another—whether starting up during boot, shutting down during system maintenance, or restarting due to configuration changes—the SCM generates this event to maintain a complete record of service activity.

The event message typically follows the format: "The [Service Name] service entered the [running/stopped/paused] state." This simple structure provides immediate clarity about which service changed and its new operational status. The timestamp associated with each event allows administrators to correlate service changes with system events, user actions, or automated processes.

From a system architecture perspective, Event ID 7036 serves multiple purposes beyond simple logging. It enables Windows to maintain service dependency chains, where dependent services can monitor the state of their prerequisites. Applications and monitoring tools can subscribe to these events through Windows Management Instrumentation (WMI) or Event Tracing for Windows (ETW) to receive real-time notifications of service changes.

The frequency of 7036 events varies significantly based on system usage patterns. A typical desktop system might generate dozens of these events during startup and shutdown, while busy servers can log hundreds or thousands daily as services restart, applications cycle, or maintenance operations occur. Understanding normal patterns for your environment is crucial for identifying anomalies that might indicate system problems or security issues.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal service startup during Windows boot process
  • Manual service start/stop operations via Services console or PowerShell
  • Automatic service restarts triggered by service recovery settings
  • Application-initiated service state changes through API calls
  • Service crashes or failures causing unexpected stops
  • Windows Update installations requiring service restarts
  • Group Policy changes affecting service configurations
  • System shutdown or restart procedures stopping services
  • Service dependency changes causing cascading state transitions
  • Third-party software installing or uninstalling services
  • Scheduled tasks or scripts managing service states
  • Windows maintenance operations affecting system services
Resolution Methods

Troubleshooting Steps

01

Review Recent Service State Changes in Event Viewer

Start by examining recent 7036 events to identify patterns or problematic services:

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. In the Actions pane, click Filter Current Log
  4. Enter 7036 in the Event IDs field and click OK
  5. Review the recent events, noting service names and timestamps
  6. Look for services that frequently start and stop, which may indicate instability
  7. Right-click any event and select Event Properties to view detailed information

Focus on services that show unusual patterns, such as multiple restarts within short timeframes or critical system services that have stopped unexpectedly.

Pro tip: Sort events by Event ID and Time to quickly identify service restart loops or cascading failures.
02

Query Service Events with PowerShell Filtering

Use PowerShell to perform advanced filtering and analysis of service state changes:

# Get last 50 service state change events
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036} -MaxEvents 50

# Filter for specific service events
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036} | Where-Object {$_.Message -like "*Windows Update*"}

# Find services that stopped in the last 24 hours
$Yesterday = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036; StartTime=$Yesterday} | Where-Object {$_.Message -like "*stopped*"}

# Export service events to CSV for analysis
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036} -MaxEvents 1000 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path "C:\Temp\ServiceEvents.csv" -NoTypeInformation

These commands help identify specific services experiencing issues and provide data for trend analysis.

Pro tip: Use Group-Object to count service state changes: Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036} -MaxEvents 500 | Group-Object Message | Sort-Object Count -Descending
03

Investigate Service Dependencies and Recovery Settings

When services frequently restart, examine their configuration and dependencies:

  1. Open Services console by running services.msc
  2. Locate the service showing frequent state changes in Event ID 7036 logs
  3. Right-click the service and select Properties
  4. Check the Recovery tab for automatic restart settings
  5. Review the Dependencies tab to understand service relationships
  6. Use PowerShell to get detailed service information:
# Get service details including dependencies
Get-Service -Name "ServiceName" | Format-List *

# Check service recovery settings via registry
$ServiceName = "YourServiceName"
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$ServiceName"
Get-ItemProperty -Path $RegPath -Name "FailureActions" -ErrorAction SilentlyContinue

# List all services and their current states
Get-Service | Sort-Object Status, Name | Format-Table Name, Status, StartType

Pay attention to services configured for automatic restart, as these generate predictable 7036 events during recovery operations.

04

Monitor Service Performance and Resource Usage

Correlate service state changes with system performance to identify resource-related issues:

  1. Open Performance Monitor by running perfmon.msc
  2. Add counters for Process% Processor Time and Working Set
  3. Monitor services that frequently appear in 7036 events
  4. Use PowerShell to check service resource usage:
# Get process information for running services
Get-WmiObject Win32_Service | Where-Object {$_.State -eq "Running"} | ForEach-Object {
    $ProcessId = $_.ProcessId
    if ($ProcessId -gt 0) {
        $Process = Get-Process -Id $ProcessId -ErrorAction SilentlyContinue
        if ($Process) {
            [PSCustomObject]@{
                ServiceName = $_.Name
                ProcessName = $Process.ProcessName
                CPU = $Process.CPU
                WorkingSet = [math]::Round($Process.WorkingSet64/1MB, 2)
            }
        }
    }
} | Sort-Object CPU -Descending

# Monitor service start times and correlate with system events
Get-EventLog -LogName System -InstanceId 7036 -After (Get-Date).AddHours(-1) | Select-Object TimeGenerated, Message

This helps identify services consuming excessive resources that might be causing instability.

Warning: High CPU or memory usage by services can trigger automatic restarts, generating frequent 7036 events.
05

Implement Automated Service Monitoring and Alerting

Set up proactive monitoring to track service state changes and identify issues before they impact users:

# Create a PowerShell script for continuous service monitoring
$LogPath = "C:\Logs\ServiceMonitoring.log"
$CriticalServices = @("Spooler", "BITS", "Themes", "AudioSrv")

# Function to log service events
function Write-ServiceLog {
    param($Message)
    $Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    "$Timestamp - $Message" | Out-File -FilePath $LogPath -Append
}

# Monitor for service state changes
Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    Write-ServiceLog "Service state change detected: $($Event.TargetInstance.Name)"
}

# Check critical services every 5 minutes
while ($true) {
    foreach ($Service in $CriticalServices) {
        $ServiceStatus = Get-Service -Name $Service -ErrorAction SilentlyContinue
        if ($ServiceStatus.Status -ne "Running") {
            Write-ServiceLog "ALERT: Critical service $Service is $($ServiceStatus.Status)"
            # Add email notification or other alerting mechanism here
        }
    }
    Start-Sleep -Seconds 300
}

Configure Windows Task Scheduler to run this monitoring script at startup for continuous service oversight.

Pro tip: Use Windows Event Forwarding to centralize 7036 events from multiple servers for enterprise-wide service monitoring.

Overview

Event ID 7036 is one of the most frequently logged events in Windows systems, generated by the Service Control Manager (SCM) whenever a service changes its operational state. This includes transitions from stopped to running, running to stopped, paused to running, or any other state change within the Windows service architecture.

The event fires automatically without administrative intervention and serves as a comprehensive audit trail for service activity. Each 7036 event contains the service name and its new state, making it invaluable for troubleshooting service-related issues, monitoring system health, and understanding application behavior during startup, shutdown, or maintenance operations.

While informational in nature, patterns in 7036 events can reveal underlying system problems. Frequent service restarts, unexpected stops, or services failing to start properly all generate these events. System administrators rely on 7036 events to track service dependencies, identify performance bottlenecks, and diagnose application failures that stem from service issues.

The event appears in the System log and is generated on all Windows versions from Windows 7 through the latest Windows 11 and Server 2025 releases. Understanding 7036 events is essential for effective Windows system administration and automated monitoring solutions.

Frequently Asked Questions

What does Event ID 7036 mean and why do I see so many of them?+
Event ID 7036 is generated by the Service Control Manager every time a Windows service changes state (starts, stops, pauses, or continues). You see many of these events because Windows systems run dozens of services that regularly change states during normal operations like startup, shutdown, updates, and maintenance. This is completely normal behavior and indicates that Windows is properly tracking service activity. The high frequency is expected on active systems, especially servers running multiple applications and services.
How can I identify which services are causing problems from 7036 events?+
Look for patterns in the Event Viewer or use PowerShell filtering to identify problematic services. Services that frequently start and stop within short timeframes, critical system services that unexpectedly stop, or services that fail to start during boot are indicators of issues. Use PowerShell commands like 'Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036} | Group-Object Message | Sort-Object Count -Descending' to find the most frequently changing services. Also correlate timestamps with system performance issues or user complaints to identify impact.
Should I be concerned about Event ID 7036 entries in my logs?+
Event ID 7036 entries are informational and generally not concerning by themselves. They're part of normal Windows operation and indicate that the Service Control Manager is properly tracking service states. However, you should investigate if you notice unusual patterns such as critical services stopping unexpectedly, services restarting frequently in short periods, or if these events correlate with system performance problems or application failures. The context and frequency matter more than the mere presence of these events.
Can I disable Event ID 7036 logging to reduce log volume?+
While technically possible through registry modifications or Group Policy, disabling 7036 events is not recommended for production systems. These events provide valuable troubleshooting information and are used by monitoring tools, Windows itself for service dependency management, and administrators for system health tracking. Instead of disabling them, consider implementing log rotation policies, filtering in your monitoring tools, or using Windows Event Forwarding to manage log volume more effectively while preserving this important diagnostic information.
How do I correlate Event ID 7036 with application or system problems?+
Use the timestamp information in 7036 events to correlate with other system events, performance counters, and user-reported issues. Look for service stops that occur just before application failures, or service restarts that coincide with performance degradation. Use PowerShell to filter events by time ranges around problem periods, and cross-reference with Application and Security logs. Tools like Performance Monitor can help correlate service state changes with resource usage spikes. Also check if services that frequently appear in 7036 events have dependencies that might be causing cascading failures.
Documentation

References (2)

1
Microsoft Learn - Windows Event Logs OverviewOfficial documentation covering Windows Event Logging architecture and Service Control Manager eventshttps://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging
2
Microsoft Docs - Service Control ManagerComprehensive guide to Windows Service Control Manager functionality and event generationhttps://learn.microsoft.com/en-us/windows/win32/services/service-control-manager
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-7036#windows-services#service-control-manager

Related Windows Events

Windows Services management console showing service status and configuration on a monitoring dashboard
Event 7011
Service Control Manager
Windows EventError

Windows Event ID 7011 – Service Control Manager: Service Timeout Error

Event ID 7011 indicates a Windows service failed to respond within the configured timeout period during startup, shutdown, or control operations, requiring investigation of service dependencies and system performance.

March 189 min
Windows Services management console displaying service dependencies and status information
Event 7001
Service Control Manager
Windows EventError

Windows Event ID 7001 – Service Control Manager: Service Dependency Failure

Event ID 7001 indicates a Windows service failed to start because one or more of its dependent services are not running or failed to initialize properly.

March 1812 min
Windows Event Viewer displaying system driver error logs on a server monitoring station
Event 7041
Service Control Manager
Windows EventError

Windows Event ID 7041 – Service Control Manager: Boot-Start Driver Failed to Load

Event ID 7041 indicates a boot-start driver failed to load during system startup. This critical error can prevent hardware functionality and requires immediate investigation to identify the problematic driver.

March 1812 min
Windows Services console and Event Viewer displaying service management and system monitoring interface
Event 7024
Service Control Manager
Windows EventError

Windows Event ID 7024 – Service Control Manager: Service Terminated Unexpectedly

Event ID 7024 indicates a Windows service terminated unexpectedly with an error code. This critical event requires immediate investigation to identify failing services and prevent system instability.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...