# Event ID 7045: Service Installed
This event, logged to the `System` channel, is produced when a new service is installed on the system.
## Analysis Value
{% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %}
[Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)
{% endcontent-ref %}
{% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %}
[File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md)
{% endcontent-ref %}
## Operating System Availability
| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11 | ✅ | Server 2019 | ✅ |
| Windows 10 | ✅ | Server 2016 | ✅ |
| Windows 8 | ✅ | Server 2012 | ✅ |
| Windows 7 | ✅ | Server 2008 | ✅ |
| Windows Vista | ✅ | Server 2003 | ❌ |
| Windows XP | ❌ | | |
## Artifact Location(s)
* `%SystemRoot%\System32\Winevt\Logs\System.evtx`
## Artifact Interpretation
| Field | Interpretation | Reference |
| ------------------------ | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |
| `System/Security/UserID` | This field provides the SID of the account that installed the new service. | [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md) |
| `EventData/ImagePath` | This field provides the full path to the executable that will be run when the new service is started. | [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) |
{% hint style="info" %}
There is no indication from this event alone that it was installed locally on the system itself, and services may be installed remotely leveraging utilities such as `sc.exe`. In the event that the new service was installed remotely, as [EventID 4624: An account was successfully logged on](/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md) event may be logged before the new service is installed with a `LogonType` of 3.
{% endhint %}
## Example
In the following example, the following command was executed on a domain controller:
```
sc.exe \\WKS10-01 create mynewservice binpath= c:\temp\example.exe start= auto displayname= "My new service"
```
This installed a new service on the system WKS10-01, generating the following [EventID 4624: An account was successfully logged on](/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md) event:
```
-
-
4624
2
0
12544
0
0x8020000000000000
9719
Security
WKS10-01.hlab.com
-
S-1-0-0
-
-
0x0
S-1-5-21-3829912423-625253200-3062624365-1105
mvanburanadm
HLAB0xe4d79
3
NtLmSsp
NTLM
HLDC01-WS2K19
{00000000-0000-0000-0000-000000000000}
-
NTLMV2
128
0x0
-
172.16.100.10
49757
%%1833
-
-
-
%%1843
0x0
%%1842
```
As well as the following [Event ID 7045: Service Installed](/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install.md) event in the `System` channel:
```
-
-
7045
0
4
0
0
0x8080000000000000
1033
System
WKS10-01.hlab.com
-
Mynewservice
c:\temp\example.exe
usermodeservice
autostart
LocalSystem
```
This example was produced on Windows 10, Version 10.0.19044 Build 19044
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.