How to Check the Last Start Time of a Service in Batch Script

Knowing exactly when a service was last started is a vital piece of information for troubleshooting system uptime and identifying unexpected reboots. While the standard "Services" panel shows you that a service is currently "Running," it doesn't natively display the timestamp of when that process actually began. To find this data, we must bridge the gap between the Service Control Manager and the underlying Windows process or the System Event Log.

This guide will explain how to use wmic and wevtutil in a Batch script to extract the precise last start time of any Windows service.

Method 1: Using WMIC (Process Uptime Method)

Every running service is associated with a Process ID (PID). By finding the creation time of that specific PID, we can determine exactly when the service instance began.

The Extraction Script

@echo off
setlocal enabledelayedexpansion

set "svc=Spooler"

:: Verify the service exists
sc query "%svc%" >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Service '%svc%' does not exist.
    pause
    exit /b 1
)

:: 1. Get the PID of the service
set "spid="
for /f "tokens=2" %%a in ('sc queryex "%svc%" ^| findstr /c:"PID"') do set "spid=%%a"

if not defined spid (
    echo [ERROR] Could not determine PID for '%svc%'.
    pause
    exit /b 1
)

if "!spid!"=="0" (
    echo [INFO] Service '%svc%' is not currently running.
    pause
    exit /b 0
)

echo [QUERY] Service '%svc%' is running with PID: !spid!

:: 2. Use WMIC to get the CreationDate of that PID
set "rawTime="
for /f "tokens=2 delims==" %%t in ('wmic process where "ProcessId=!spid!" get CreationDate /value 2^>nul ^| findstr "="') do (
    set "rawTime=%%t"
)

if not defined rawTime (
    echo [WARNING] Could not retrieve process creation time.
    echo          The process may have exited or access was denied.
    pause
    exit /b 1
)

:: 3. Format the raw WMI timestamp (YYYYMMDDHHMMSS...)
set "year=!rawTime:~0,4!"
set "month=!rawTime:~4,2!"
set "day=!rawTime:~6,2!"
set "hour=!rawTime:~8,2!"
set "min=!rawTime:~10,2!"
set "sec=!rawTime:~12,2!"

echo [RESULT] Service '%svc%' was started on: !year!-!month!-!day! at !hour!:!min!:!sec!

pause
endlocal

info

The WMI timestamp is very precise but needs manual parsing in Batch (as shown above) to be human-readable. The raw format is YYYYMMDDHHMMSS.ffffff+ZZZ where +ZZZ is the UTC offset in minutes.

Method 2: Using the System Event Log (Historical Method)

If a service is currently stopped, the Process ID method won't work. In this case, you must query the Windows Event Log for Event ID 7036, which records when a service changes status.

Script: Querying Event Logs

@echo off
set "svc=Print Spooler"

echo [QUERY] Searching Event Log for the last start of '%svc%'...
echo.

:: Use wevtutil to find the most recent Event 7036 for this service entering "running" state
:: /c:1 = Return only the most recent match
:: /rd:true = Read in reverse chronological order (newest first)
:: /f:text = Output in human-readable text format
wevtutil qe System "/q:*[System[EventID=7036] and EventData[Data='%svc%']]" /c:1 /rd:true /f:text 2>nul | findstr /c:"Date"

if %errorlevel% neq 0 (
    echo [INFO] No start events found for '%svc%' in the System log.
    echo        The event may have been cleared, or the service name may be incorrect.
    echo.
    echo [TIP]  Use the Display Name (e.g., "Print Spooler"^) for Event Log queries.
)

echo.
pause

Why this works:

qe System: Queries the System log.
EventID=7036: The specific ID for service status changes.
/rd:true: "Read backwards," meaning we get the most recent event first.
/c:1: Only returns 1 result (the very last matching event).

How to Avoid Common Errors

Wrong Way: Checking file modification dates

Some users look at the .exe file's last modified date.

Why it fails: This only shows when the software was installed or updated, not when it was launched.

Correct Way: Use PID creation time (live) or Event Logs (history).

Problem: Shared Processes (svchost)

If multiple services share an svchost.exe process (like DcomLaunch and Power), the wmic process method will return the start time of the first service that launched the host process.

Best Practice: For shared services, the Event Log method is the only 100% accurate way to know when a specific service within the group was triggered.

Best Practices and Security Rules

1. Administrative Privileges

Querying the Event Log (wevtutil) and process metadata (wmic) requires Administrator rights. If you run these from a standard prompt, you will likely receive an "Access Denied" or empty result.

2. Service Naming

When using the Event Log method, you must use the Display Name (e.g., Print Spooler) because that is what is written into the event description. When using the Process method, use the Service Name (e.g., Spooler).

3. Handle Time Zones

WMI timestamps are in UTC offset format. If your machine is in a different time zone, the raw string will end with something like +060 or -300. For simple audits, the first 14 characters (through seconds) are usually sufficient for local time.

Conclusions

Extracting the last start time of a service in Batch script requires looking deeper than the surface status. By combining PID tracking with wmic for active services and wevtutil for historical data, you can build a complete picture of your system's uptime. These dual methods ensure that you have the evidence needed for professional-grade forensics and system monitoring.

Method 1: Using WMIC (Process Uptime Method)​

The Extraction Script​

Method 2: Using the System Event Log (Historical Method)​

Script: Querying Event Logs​

Why this works:​

How to Avoid Common Errors​

Wrong Way: Checking file modification dates​

Problem: Shared Processes (svchost)​

Best Practices and Security Rules​

1. Administrative Privileges​

2. Service Naming​

3. Handle Time Zones​

Conclusions​

Table of Contents