Within the Event Viewer (Control Panel | Administrative Tools | Event Viewer) on the System tab the Service Control Manager logs who started and stop each event. I've just tested this myself and viewed the results. This leads me to two things:

在系统选项卡上的事件查看器（控制面板 | 管理工具 | 事件查看器）中，服务控制管理器记录启动和停止每个事件的人员。我刚刚自己测试过并查看了结果。这让我想到两件事：

1. You may be able to query or hook those events from the Service Control Manager as they happen, or
2. You can definitely just query the Event Viewer's "System" log to look for those events for your Service.

1. 您可以在这些事件发生时从服务控制管理器查询或挂钩这些事件，或者
2. 您绝对可以查询事件查看器的“系统”日志来为您的服务查找这些事件。

Hope that leads you to your solution.

希望这会引导您找到解决方案。

There probably isn't a way. Any of the normal .NET ways that you get at the environment's user are going to return the user whose credentials the service runs with (which will typically be SYSTEM, LOCAL SERVICE, NETWORK SERVICE, etc).

应该没有办法。您在环境用户处获得的任何正常 .NET 方式都将返回运行服务所使用的凭据的用户（通常是 SYSTEM、LOCAL SERVICE、NETWORK SERVICE 等）。

How I'd probably do it is poll the system to see if a user is logged in, and assume that user did it. Of course, this discounts services that are shut down by the system for some reason (presumably your service would not be), and can only help you narrow it down if more than one user is logged in at one time (but then, you could always log both of them).

我可能的做法是轮询系统以查看用户是否已登录，并假设该用户已登录。当然，这会打折由于某种原因被系统关闭的服务（大概您的服务不会），并且只有在一次登录多个用户的情况下才能帮助您缩小范围（但是，您可以总是记录它们）。

You can enable auditing according to this article

您可以根据这篇文章启用审计

http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services

http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services

Additionally, it may be a good idea to alert email to yourself in OnStop() method.

此外，在 OnStop() 方法中向自己发送电子邮件提醒可能是个好主意。

1. Just open Event Viewer (Start menu -> Search "Event" Event Viewer will come, open it)
2. Expand 'Windows Log' on Event viewer left menu.
3. Click on Application. (It will show your application error with description in 'general' tab.
4. Again try to start your service and from event viewer see what is exact cause for stopping briefly in 'general' tab.

1. 只需打开事件查看器（开始菜单 -> 搜索“事件”事件查看器就会出现，打开它）
2. 在事件查看器左侧菜单上展开“Windows 日志”。
3. 单击应用程序。（它将在“常规”选项卡中显示您的应用程序错误和描述。
4. 再次尝试启动您的服务，并从事件查看器中查看在“常规”选项卡中短暂停止的确切原因。

• You can filter the System EventLog by Service Control Manager

• 您可以通过服务控制管理器过滤系统事件日志

Event ID 7040 - covers Service start type change (eg disabled, manual, automatic)

事件 ID 7040 - 涵盖服务启动类型更改（例如禁用、手动、自动）

Event ID 7036 - covers Service start/stop

事件 ID 7036 - 涵盖服务启动/停止

For others that have PowerShell, you can use this:

对于拥有 PowerShell 的其他人，您可以使用以下命令：

get-eventlog -source "Service Control manager" -LogName System | select message, timegenerated, username | Out-GridView