Windows Event Collector (Wecsvc) Service Defaults in Windows 8

This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. If this service is stopped or disabled event subscriptions cannot be created and forwarded events cannot be accepted.

Default Settings

Startup type:Manual
Display name:Windows Event Collector
Service name:Wecsvc
Service type:share
Error control:normal
Object:NT AUTHORITY\NetworkService
Path:%SystemRoot%\system32\svchost.exe -k NetworkService
File:%SystemRoot%\system32\wecsvc.dll
Registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc
Privileges:
  • SeAuditPrivilege
  • SeChangeNotifyPrivilege
  • SeImpersonatePrivilege

Default Behavior

Windows Event Collector is a Win32 service. In Windows 8 it will not be started until the user starts it. When the Windows Event Collector service is started, it runs as NT AUTHORITY\NetworkService in a process of svchost.exe, sharing it with other services. If Windows Event Collector fails to start, the error details are added to Windows 8 error log. When the operating system startup is complete, the user is being notified that the Wecsvc service hasn't been started.

Dependencies

Windows Event Collector can't start, if any service from the list below is disabled or not available:

Restore Default Startup Configuration for Windows Event Collector

Before you begin doing this, make sure that all the services on which Windows Event Collector depends are configured by default and function properly. See the list of dependencies above.

1. Run the Command Prompt as an administrator.

2. Copy the command below, paste it into the command window and press ENTER:

sc config Wecsvc start= demand

3. Close the command window and restart the computer.

The Wecsvc service is using the wecsvc.dll file that is located in the %WinDir%\system32 folder. If the file is corrupted or deleted, you can put it back in there.