EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 7036InformationSystem

Windows Event ID 7036Service State Changed

Logged when a service enters a running or stopped state.

Why It Matters

Tracking state changes for security-critical services (Windows Defender, Windows Firewall, Event Log) can reveal tampering. A security service stopping without a corresponding start shortly after is a red flag.

Key Fields

Service NameThe service that changed state
StateRunning or stopped

Investigation Tips

  1. 1.Monitor for Windows Defender (WinDefend) or Firewall (MpsSvc) stopping without a corresponding start.
  2. 2.Pair with 7034 to distinguish crashes from intentional stops.

Seeing Event ID 7036 in your own logs? Upload an .evtx file — EventPeeker flags service state changed automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

7034Service crashed — unexpected stop
7045New service installed

Go deeper: the full Windows Defender Disabled or Tampered guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Windows Defender Disabled or Tampered guide

See Event ID 7036 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects service state changed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →