FieldMILIService on 2008 server

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 FieldMILIService on 2008 server

Tagged: 

This topic contains 2 replies, has 2 voices, and was last updated by Blood Blood 1 week, 2 days ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • Blood
    Blood
    Moderator
    #609947

    Hello

    I was going through the events on our 2008 data server after it rebooted unexpectedly. One of the events referenced a service I’ve not seen before:

    Log Name:      System
    Source:        Service Control Manager
    Date:          03/12/2018 10:44:46
    Event ID:      7036
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      Orion.htlincs.local
    Description:
    The FieldMILIService service entered the running state.

    This is followed by ‘… entered the stopped state’ one second later.

    I am getting no results from a web search. I have been through all the services listed in services.msc and looked at ‘Properties > General tab > Service name’ but nothing matches. We have Sophos installed and nothing apart from the usual PUA’s (PSKill etc., from SysInternals) has been detected.  Enumerating all services via PowerShell: Get-WmiObject win32_service | Select Name, DisplayName, State, StartMode | Sort State, Name does not list this service.

    Has anyone come across this service before?

    [Edit]
    Just searched through the System log and it has cropped up before – during each restart (I usually filter out 7036 events when scanning the logs – whoops!).

    • This topic was modified 1 week, 3 days ago by Blood Blood. Reason: Additional info

    RicklesP
    Participant
    #609982

    Blood, have you tried searching the registry for that service name, or some part of it like ‘fieldmili’ or ‘miliservice’, for example?  Or how about just looking at reg keys like “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” or “…RunOnce”, and of course the Wow6432 node of same: “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run” or “RunOnce”, to see if there’s anything called out which you can’t otherwise account for.

    Granted that’s a bit manual, but esp. if it’s some legacy thing that (big assumption here, based on the computer name) the NHS still has on its systems, it may be the only way to identify the guilty party.

    Blood
    Blood
    Moderator
    #610010

    Thanks very much for the suggestion. I used SysInternals’ Autoruns64 to scan the system and (with Windows entries visible) it did not find that term or variations of it and a manual scan of the common startup points did not reveal anything odd.

    I just find it strange that I cannot discover anything about it.

     

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.