EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 7036InformationSystem

Windows Event ID 7036Service State Changed

Logged when a service enters a running or stopped state.

Why It Matters

Tracking state changes for security-critical services (Windows Defender, Windows Firewall, Event Log) can reveal tampering. A security service stopping without a corresponding start shortly after is a red flag.

Key Fields

Service NameThe service that changed state
StateRunning or stopped

Investigation Tips

  1. 1.Monitor for Windows Defender (WinDefend) or Firewall (MpsSvc) stopping without a corresponding start.
  2. 2.Pair with 7034 to distinguish crashes from intentional stops.

Related Event IDs

7034Service crashed — unexpected stop
7045New service installed

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 7036

See Event ID 7036 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects service state changed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →