Ad Widget

Collapse

Difficulty to ignore a Windows service

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • EHRETic
    Member
    • Jan 2021
    • 45
    #1

    Difficulty to ignore a Windows service

    Hi there,

    I would not post but with this one, I'm not getting any result! Since last Windows updates, I have plenty of computers/servers reporting that service AppXSvc is not running.
    This statement is true, especially when there is no user. But this service does start and stop continuously (without crashing).
    It seems to be by design (don't ask why)!

    So I get those alerts (I have a mix of French and English OSes) :
    18:42:59 X "AppXSvc" (Service de déploiement AppX (AppXSVC)) is not running (startup type automatic) 30m 28s Update class: oscomponent: systemname: Service de déploiement AppX (AppXSVC)
    18:39:28 X "AppXSvc" (AppX Deployment Service (AppXSVC)) is not running (startup type automatic) 33m 59s Update class: oscomponent: systemname: AppX Deployment Service (AppXSVC)
    18:36:01 X "AppXSvc" (Service de déploiement AppX (AppXSVC)) is not running (startup type automatic) 37m 26s Update class: oscomponent: systemname: Service de déploiement AppX (AppXSVC)
    18:21:30 X "AppXSvc" (AppX Deployment Service (AppXSVC)) is not running (startup type automatic) 51m 57s Update class: oscomponent: systemname: AppX Deployment Service (AppXSVC)
    Usually, for unnecessary services, I update my regex in macro {$SERVICE.NAME.NOT_MATCHES} from Windows services detection template but this one is still coming back...

    This is my regex, I'm doing something wrong?

    ^(?:AppXSvc|BITS|brave|camsvc|cbdhsvc|CDPSvc|CDPUs erSvc|clr_optimization_v.*|dbupdate|DoSvc|edgeupda te|GoogleUpdater.*|gpsvc|gupdate|IntelAudioService |Intel\(R\) TPM Provisioning Service|MapsBroker|MMCSS|MSExchangeNotificationsBr oker|Net Driver HPZ12|OneSyncSvc|Pml Driver HPZ12|RemoteRegistry|sppsvc|StateRepository|Sysmon Log|TabletInputService|TrustedInstaller|VeeamVssSu pport|webthreatdefusersvc|WpnUserService|wuauserv) $

    Thanks in advance for your help!
    Tags: None
    • Answer selected by EHRETic at 06-01-2026, 19:00.
      EHRETic
      Member
      • Jan 2021
      • 45
      Well, at the end of the day, I was putting my macro at the wrong place (Sooorrryyyy)

      I'll explain : probably in the past, there was some hierarchy in the templates:

      Windows by Zabbix agent active -->
      • Windows services by Zabbix agent active
      • Windows network by Zabbix agent active
      • etc...

      And I was putting my macro in the service template, without realizing that the inheritance was not there anymore (I still have that inheritance with the non active template). I think on update probably get rid of that inheritance.
      After I put the regex in the macros from the main template, it was working fine.

      The regex that works for me is :

      ^(?:RemoteRegistry|MMCSS|gupdate|SysmonLog|clr_opt imization_v.+|sppsvc|gpsvc|Pml Driver HPZ12|Net Driver HPZ12|MapsBroker|IntelAudioService|Intel\(R\) TPM Provisioning Service|dbupdate|DoSvc|CDPUserSvc_.+|WpnUserServic e_.+|OneSyncSvc_.+|WbioSrvc|BITS|StateRepository|t iledatamodelsvc|GISvc|ShellHWDetection|TrustedInst aller|TabletInputService|CDPSvc|wuauserv|edgeupdat e|cbdhsvc_.+|webthreatdefusersvc_.+|EHRETic-Services-Behind|AppXSvc|brave|camsvc|GoogleUpdater.+)$
        • Selected Answer

        Comment

        • troffasky
          Senior Member
          • Jul 2008
          • 565
          #2
          I think your ( is in the wrong place, needs to be between : and A

            Comment

            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4806
              #3
              Originally posted by troffasky
              I think your ( is in the wrong place, needs to be between : and A
              nope.. (?:....) is valid regex construct, called a "non-capturing group".

              Code:
              (?:...) A non-capturing group allows you to apply quantifiers to part of your regex but does not capture/assign an ID.
              On my computer this service has startup type "Manual (Trigger start)"..
              Last edited by cyber; 12-12-2025, 12:36.

                Comment

                • troffasky
                  Senior Member
                  • Jul 2008
                  • 565
                  #4
                  Yeah, looks like that is part of factory template.
                  Anyway, just added AppXSvc to the end of my regex as this is plaguing us since 10th Dec.

                    Comment

                    • troffasky
                      Senior Member
                      • Jul 2008
                      • 565
                      #5
                      Anyway, worked for me. Deleted item, re-ran discovery and did not reappear.

                      The end of my regex, FYI:

                      Code:
                      InventorySvc|VGAuthService|vmvss|VM3DService|SgrmBroker|SSUService|spice-agent|AppXSvc)$

                        Comment

                        • EHRETic
                          Member
                          • Jan 2021
                          • 45
                          #6

                          Hi there,

                          I think several solutions could work and this issue was driving me nut... but I think I found my problem (please confirm what you can find on your end)
                          My "Windows by Zabbix agent active" template doesn't have any "sub template" attached, compared to "Windows by Zabbix agent" that has plenty.

                          I was editing the macro in template "Windows services by Zabbix agent active" but if this one is not linked, it can not work.

                          Can somebody tell me what I should find in there? Thanks in advance.

                          PS: the main template has macros, probably from before the inheritance issue (if there is one of course)
                          PS2: my installation is at least 6 ears, might legacy templates showing me the wrong things

                          Click image for larger version Name: Capture d’écran 2025-12-13 à 10.28.51.png Views: 1 Size: 121.7 KB ID: 509714
                          Last edited by EHRETic; 13-12-2025, 12:08.

                            Comment

                            • kyus
                              Senior Member
                              • Feb 2024
                              • 171
                              #7
                              I'm not sure about what you meant, but the service discovery exists in the Windows by Zabbix agent template (active or not), and those templates don't have any "sub templates" (at least not in the version that I have).

                              Since you've mentioned that it is an older installation, I would suggest that you take a look at the problematic hosts "Macros" tab. It is possible that the {$SERVICE.NAME.NOT_MATCHES} macro was edited in the host configuration and, therefore, it doesn't get updated when you edit this macro in the template configuration.

                                Comment

                                • EHRETic
                                  Member
                                  • Jan 2021
                                  • 45
                                  #8
                                  Well, at the end of the day, I was putting my macro at the wrong place (Sooorrryyyy)

                                  I'll explain : probably in the past, there was some hierarchy in the templates:

                                  Windows by Zabbix agent active -->
                                  • Windows services by Zabbix agent active
                                  • Windows network by Zabbix agent active
                                  • etc...

                                  And I was putting my macro in the service template, without realizing that the inheritance was not there anymore (I still have that inheritance with the non active template). I think on update probably get rid of that inheritance.
                                  After I put the regex in the macros from the main template, it was working fine.

                                  The regex that works for me is :

                                  ^(?:RemoteRegistry|MMCSS|gupdate|SysmonLog|clr_opt imization_v.+|sppsvc|gpsvc|Pml Driver HPZ12|Net Driver HPZ12|MapsBroker|IntelAudioService|Intel\(R\) TPM Provisioning Service|dbupdate|DoSvc|CDPUserSvc_.+|WpnUserServic e_.+|OneSyncSvc_.+|WbioSrvc|BITS|StateRepository|t iledatamodelsvc|GISvc|ShellHWDetection|TrustedInst aller|TabletInputService|CDPSvc|wuauserv|edgeupdat e|cbdhsvc_.+|webthreatdefusersvc_.+|EHRETic-Services-Behind|AppXSvc|brave|camsvc|GoogleUpdater.+)$
                                    • Selected Answer

                                    Comment

                                    Previous template Next
                                    Working...