@Rastegui  To pinpoint the user or process stopping the Splunk UF, you need to look beyond Splunk’s internal logs and Windows System Events alone.    Enable and Monitor Windows Security Event Logs   Required Log Source: Windows Security Event Log (WinEventLog:Security) The Security Event Log can capture events related to service control actions if auditing is enabled. Specifically, Event ID 4656 (with proper auditing) or Event ID 4670 (permissions changes) might indicate when a user or process interacts with the SplunkForwarder service. Ensure the Splunk UF is configured to forward Windows Security Event Logs   Useful Windows Security Event Log codes to monitor for identifying the user or process responsible for stopping the Splunk UF agent: Event ID 4688: Logs the creation of a new process. This can help identify the process responsible for stopping the Splunk UF agent. Event ID 4648: Logs the use of explicit credentials. This can help identify the user who performed the action. Event ID 4624: Logs successful account logons. This can help track user activity. Event ID 4625: Logs failed account logons. This can indicate unauthorized attempts to access the system. Event ID 1102: Logs audit log clearance. This can indicate an attempt to cover tracks. By monitoring these event codes, you should be able to get a clearer picture of the user or process responsible for stopping the Splunk UF agent. Please check this https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/  ... View more