Skip to main content
Question

CMA Windows Services-Auto check reports Kernel Drivers as stopped services despite SERVICE_TYPE=service

  • April 30, 2026
  • 0 replies
  • 8 views
P
Forum|alt.badge.img+3

Bonjour,

Nous utilisons Centreon 25.10 sur des serveurs RHEL 9.6 avec le Centreon Monitoring Agent, CMA, pour superviser des serveurs Windows en mode push.

Nous utilisons le service template Windows CMA suivant :

OS-Windows-Services-Auto-Centreon-Monitoring-Agent-custom

L’objectif de ce contrôle est de superviser les services Windows configurés en démarrage automatique et actuellement arrêtés.

Le service est configuré avec les macros suivantes :

STARTAUTO = true
FILTERNAME = .*
FILTERDISPLAY = .*
SERVICE_TYPE = service
START_TYPE = auto
CRITICALSTATE = stopped

Malgré la valeur SERVICE_TYPE=service, le contrôle remonte plusieurs Windows Kernel Drivers comme des services arrêtés.

Exemple de retour d’alerte :

CRITICAL: services: 4 stopped, 132 running
CRITICAL: dam is stopped
CRITICAL: sacdrv is stopped
CRITICAL: SentinelELAM is stopped
CRITICAL: WdBoot is stopped

Sur le serveur Windows, ces objets ne sont pas des services Windows classiques visibles dans services.msc. Ce sont des Kernel Drivers.

Vérification PowerShell réalisée sur le serveur Windows :

"dam","sacdrv","SentinelELAM","WdBoot" | ForEach-Object {

Write-Host "===== $_ ====="

 
Get-CimInstance Win32_Service -Filter "Name='$_'" |
Select-Object Name, DisplayName, State, StartMode, ServiceType, PathName |
Format-List

Get-CimInstance Win32_SystemDriver -Filter "Name='$_'" |
Select-Object Name, DisplayName, State, StartMode, ServiceType, PathName |
Format-List

}

Résultat obtenu :

===== dam =====

Name : dam

DisplayName : Desktop Activity Moderator Driver

State : Stopped

StartMode : System

ServiceType : Kernel Driver

PathName : C:\Windows\system32\drivers\dam.sys

===== sacdrv =====

Name : sacdrv

DisplayName : sacdrv

State : Stopped

StartMode : Boot

ServiceType : Kernel Driver

PathName : C:\Windows\system32\DRIVERS\sacdrv.sys

===== SentinelELAM =====

Name : SentinelELAM

DisplayName : SentinelELAM

State : Stopped

StartMode : Boot

ServiceType : Kernel Driver

PathName : C:\Windows\system32\DRIVERS\SentinelOne\ELAM\SentinelELAM.sys

===== WdBoot =====

Name : WdBoot

DisplayName : Pilote de démarrage de l’antivirus Microsoft Defender

State : Stopped

StartMode : Boot

ServiceType : Kernel Driver

PathName : C:\Windows\system32\drivers\wd\WdBoot.sys

Comportement attendu :

Lorsque SERVICE_TYPE=service est configuré, le contrôle CMA Services-Auto devrait superviser uniquement les services Windows classiques et exclure les Kernel Drivers.

Le contrôle ne devrait pas remonter des objets ayant :

ServiceType = Kernel Driver
StartMode = Boot ou System

Comportement constaté :

Le contrôle remonte ces Kernel Drivers comme des services arrêtés.

Cela semble également inattendu car le contrôle est configuré avec START_TYPE=auto, alors que les objets concernés ont un StartMode égal à Boot ou System.

Contournement actuel :

Nous pouvons exclure explicitement ces objets via la macro EXCLUDENAME, par exemple :

EXCLUDENAME = ^(dam|sacdrv|SentinelELAM|WdBoot)$

Cependant, ce contournement impose de maintenir une liste d’exclusion pour des drivers techniques qui devraient normalement être ignorés lorsque SERVICE_TYPE=service est utilisé.

Questions :

  1. Ce comportement est-il attendu avec le contrôle CMA Windows Services-Auto ?
  2. La valeur SERVICE_TYPE=service devrait-elle exclure les Kernel Drivers ?
  3. La valeur START_TYPE=auto devrait-elle exclure les objets ayant un StartMode Boot ou System ?
  4. Existe-t-il une valeur de macro recommandée pour superviser uniquement les vrais services Windows et exclure les drivers ?
  5. Faut-il considérer cela comme un bug du contrôle CMA services ou du template du plugin pack Windows CMA ?

Environnement :

Version Centreon : 25.10
OS des serveurs Centreon : RHEL 9.6
Méthode de supervision : Centreon Monitoring Agent, mode push
OS supervisé : Windows Server
Plugin installé : centreon-plugin-Operatingsystems-Windows-Centreon-Monitoring-Agent
Service template : OS-Windows-Services-Auto-Centreon-Monitoring-Agent-custom

Merci pour votre aide.

---

Message:

Hello,

We are using Centreon 25.10 on RHEL 9.6 servers with Centreon Monitoring Agent, CMA, to monitor Windows servers in push mode.

We are using the following Windows CMA service template:

OS-Windows-Services-Auto-Centreon-Monitoring-Agent-custom

The purpose of this check is to monitor Windows services configured with automatic startup and currently stopped.

The service is configured with the following macros:

STARTAUTO = true
FILTERNAME = .*
FILTERDISPLAY = .*
SERVICE_TYPE = service
START_TYPE = auto
CRITICALSTATE = stopped

Despite SERVICE_TYPE=service, the check reports several Windows Kernel Drivers as stopped services.

Example alert output:

CRITICAL: services: 4 stopped, 132 running
CRITICAL: dam is stopped
CRITICAL: sacdrv is stopped
CRITICAL: SentinelELAM is stopped
CRITICAL: WdBoot is stopped

On the Windows server, these objects are not regular Windows services visible in services.msc. They are Kernel Drivers.

PowerShell verification performed on the Windows server:

"dam","sacdrv","SentinelELAM","WdBoot" | ForEach-Object {

Write-Host "===== $_ ====="

 
Get-CimInstance Win32_Service -Filter "Name='$_'" |
Select-Object Name, DisplayName, State, StartMode, ServiceType, PathName |
Format-List

Get-CimInstance Win32_SystemDriver -Filter "Name='$_'" |
Select-Object Name, DisplayName, State, StartMode, ServiceType, PathName |
Format-List

}

Result:

===== dam =====

Name : dam

DisplayName : Desktop Activity Moderator Driver

State : Stopped

StartMode : System

ServiceType : Kernel Driver

PathName : C:\Windows\system32\drivers\dam.sys

===== sacdrv =====

Name : sacdrv

DisplayName : sacdrv

State : Stopped

StartMode : Boot

ServiceType : Kernel Driver

PathName : C:\Windows\system32\DRIVERS\sacdrv.sys

===== SentinelELAM =====

Name : SentinelELAM

DisplayName : SentinelELAM

State : Stopped

StartMode : Boot

ServiceType : Kernel Driver

PathName : C:\Windows\system32\DRIVERS\SentinelOne\ELAM\SentinelELAM.sys

===== WdBoot =====

Name : WdBoot

DisplayName : Microsoft Defender Antivirus Boot Driver

State : Stopped

StartMode : Boot

ServiceType : Kernel Driver

PathName : C:\Windows\system32\drivers\wd\WdBoot.sys

Expected behavior:

When SERVICE_TYPE=service is configured, the CMA Services-Auto check should only monitor regular Windows services and exclude Kernel Drivers.

The check should not report objects with:

ServiceType = Kernel Driver
StartMode = Boot or System

Actual behavior:

The check reports these Kernel Drivers as stopped services.

This also seems unexpected because the check is configured with START_TYPE=auto, while the affected objects have StartMode set to Boot or System.

Current workaround:

We can explicitly exclude these objects using the EXCLUDENAME macro, for example:

EXCLUDENAME = ^(dam|sacdrv|SentinelELAM|WdBoot)$

However, this workaround requires maintaining an exclusion list for technical drivers that should normally be ignored when SERVICE_TYPE=service is used.

Questions:

  1. Is this behavior expected with the current CMA Windows Services-Auto check?
  2. Should SERVICE_TYPE=service exclude Kernel Drivers?
  3. Should START_TYPE=auto exclude objects with StartMode Boot or System?
  4. Is there a recommended macro value to monitor only real Windows services and exclude drivers?
  5. Should this be considered a bug in the CMA services check or in the Windows CMA plugin pack template?

Environment:

Centreon version: 25.10
Centreon servers OS: RHEL 9.6
Monitoring method: Centreon Monitoring Agent, push mode
Monitored OS: Windows Server
Installed plugin: centreon-plugin-Operatingsystems-Windows-Centreon-Monitoring-Agent
Service template: OS-Windows-Services-Auto-Centreon-Monitoring-Agent-custom

Thank you for your help.

 

 

 

 

 

Terms & ConditionsAccessibility statement