Find out who disabled a Windows service

Solution 1:

When the start type of a service is changed, an event is recorded in the system event log , with id 7040 and source Service Control Manager.

The user that performed the operation is displayed in the event (obfuscated in the screen shot below).

So you have to find those events in your event logs; hopefully you will directly have the user name.

If it is a generic user name, such as "administrator", then it's time to stop using generic account, and you'll have to correlate the date / time of the event with other info you could get from other log (like: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational which can give you the source IP of a remote desktop session)

Solution 2:

In Event Viewer, look in the "Windows Logs"->"System" event log, and filter for Source "Service Control Manager" and Event ID 7040. Find the event saying "The start type of the service was changed from original start type to disabled" for the service you're interested in. When you find that, the "User" listed in the details below is the user that has made that change.