Event ID 7045: Service Installed

This event, logged to the System channel, is produced when a new service is installed on the system.

Analysis Value

Operating System Availability

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

❌

Windows XP

❌

Artifact Location(s)

%SystemRoot%\System32\Winevt\Logs\System.evtx

Artifact Interpretation

Field

Interpretation

Reference

System/Security/UserID

This field provides the SID of the account that installed the new service.

EventData/ImagePath

This field provides the full path to the executable that will be run when the new service is started.

There is no indication from this event alone that it was installed locally on the system itself, and services may be installed remotely leveraging utilities such as sc.exe. In the event that the new service was installed remotely, as EventID 4624: An account was successfully logged on event may be logged before the new service is installed with a LogonType of 3.

Example

In the following example, the following command was executed on a domain controller:

sc.exe \\WKS10-01 create mynewservice binpath= c:\temp\example.exe start= auto displayname= "My new service"

This installed a new service on the system WKS10-01, generating the following EventID 4624: An account was successfully logged on event:

-
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">-
	<System>
		<ProviderName="Microsoft-Windows-Security-Auditing"Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"/>
		<EventID>4624</EventID>
		<Version>2</Version>
		<Level>0</Level>
		<Task>12544</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8020000000000000</Keywords>
		<TimeCreatedSystemTime="2023-05-08T22:04:15.0931035Z"/>
		<EventRecordID>9719</EventRecordID>
		<CorrelationActivityID="{96cea955-81f8-0004-8ea9-ce96f881d901}"/>
		<ExecutionProcessID="900"ThreadID="3128"/>
		<Channel>Security</Channel>
		<Computer>WKS10-01.hlab.com</Computer>
		<Security/>
	</System>-
	<EventData>
		<DataName="SubjectUserSid">S-1-0-0</Data>
		<DataName="SubjectUserName">-</Data>
		<DataName="SubjectDomainName">-</Data>
		<DataName="SubjectLogonId">0x0</Data>
		<DataName="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<DataName="TargetUserName">mvanburanadm</Data>
		<DataName="TargetDomainName">HLAB</Data><DataName="TargetLogonId">0xe4d79</Data>
		<DataName="LogonType">3</Data>
		<DataName="LogonProcessName">NtLmSsp</Data>
		<DataName="AuthenticationPackageName">NTLM</Data>
		<DataName="WorkstationName">HLDC01-WS2K19</Data>
		<DataName="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<DataName="TransmittedServices">-</Data>
		<DataName="LmPackageName">NTLMV2</Data>
		<DataName="KeyLength">128</Data>
		<DataName="ProcessId">0x0</Data>
		<DataName="ProcessName">-</Data>
		<DataName="IpAddress">172.16.100.10</Data>
		<DataName="IpPort">49757</Data>
		<DataName="ImpersonationLevel">%%1833</Data>
		<DataName="RestrictedAdminMode">-</Data>
		<DataName="TargetOutboundUserName">-</Data>
		<DataName="TargetOutboundDomainName">-</Data>
		<DataName="VirtualAccount">%%1843</Data>
		<DataName="TargetLinkedLogonId">0x0</Data>
		<DataName="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

As well as the following Event ID 7045: Service Installed event in the System channel:

-
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">-
	<System>
		<ProviderName="ServiceControlManager"Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}"EventSourceName="ServiceControlManager"/>
		<EventIDQualifiers="16384">7045
		</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>0</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8080000000000000</Keywords>
		<TimeCreatedSystemTime="2023-05-08T22:04:15.0831494Z"/>
		<EventRecordID>1033</EventRecordID>
		<Correlation/>
		<ExecutionProcessID="880"ThreadID="968"/>
		<Channel>System</Channel>
		<Computer>WKS10-01.hlab.com</Computer>
		<SecurityUserID="S-1-5-21-3829912423-625253200-3062624365-1105"/>
	</System>-
	<EventData>
		<DataName="ServiceName">Mynewservice</Data>
		<DataName="ImagePath">c:\temp\example.exe</Data>
		<DataName="ServiceType">usermodeservice</Data>
		<DataName="StartType">autostart</Data>
		<DataName="AccountName">LocalSystem</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated 1 year ago

Artifact Interpretation

Field

Interpretation

Reference

System/Security/UserID

This field provides the SID of the account that installed the new service.

EventData/ImagePath

This field provides the full path to the executable that will be run when the new service is started.

Example

In the following example, the following command was executed on a domain controller:

sc.exe \\WKS10-01 create mynewservice binpath= c:\temp\example.exe start= auto displayname= "My new service"

This installed a new service on the system WKS10-01, generating the following EventID 4624: An account was successfully logged on event:

-
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">-
	<System>
		<ProviderName="Microsoft-Windows-Security-Auditing"Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"/>
		<EventID>4624</EventID>
		<Version>2</Version>
		<Level>0</Level>
		<Task>12544</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8020000000000000</Keywords>
		<TimeCreatedSystemTime="2023-05-08T22:04:15.0931035Z"/>
		<EventRecordID>9719</EventRecordID>
		<CorrelationActivityID="{96cea955-81f8-0004-8ea9-ce96f881d901}"/>
		<ExecutionProcessID="900"ThreadID="3128"/>
		<Channel>Security</Channel>
		<Computer>WKS10-01.hlab.com</Computer>
		<Security/>
	</System>-
	<EventData>
		<DataName="SubjectUserSid">S-1-0-0</Data>
		<DataName="SubjectUserName">-</Data>
		<DataName="SubjectDomainName">-</Data>
		<DataName="SubjectLogonId">0x0</Data>
		<DataName="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
		<DataName="TargetUserName">mvanburanadm</Data>
		<DataName="TargetDomainName">HLAB</Data><DataName="TargetLogonId">0xe4d79</Data>
		<DataName="LogonType">3</Data>
		<DataName="LogonProcessName">NtLmSsp</Data>
		<DataName="AuthenticationPackageName">NTLM</Data>
		<DataName="WorkstationName">HLDC01-WS2K19</Data>
		<DataName="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<DataName="TransmittedServices">-</Data>
		<DataName="LmPackageName">NTLMV2</Data>
		<DataName="KeyLength">128</Data>
		<DataName="ProcessId">0x0</Data>
		<DataName="ProcessName">-</Data>
		<DataName="IpAddress">172.16.100.10</Data>
		<DataName="IpPort">49757</Data>
		<DataName="ImpersonationLevel">%%1833</Data>
		<DataName="RestrictedAdminMode">-</Data>
		<DataName="TargetOutboundUserName">-</Data>
		<DataName="TargetOutboundDomainName">-</Data>
		<DataName="VirtualAccount">%%1843</Data>
		<DataName="TargetLinkedLogonId">0x0</Data>
		<DataName="ElevatedToken">%%1842</Data>
	</EventData>
</Event>

As well as the following Event ID 7045: Service Installed event in the System channel:

-
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">-
	<System>
		<ProviderName="ServiceControlManager"Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}"EventSourceName="ServiceControlManager"/>
		<EventIDQualifiers="16384">7045
		</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>0</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8080000000000000</Keywords>
		<TimeCreatedSystemTime="2023-05-08T22:04:15.0831494Z"/>
		<EventRecordID>1033</EventRecordID>
		<Correlation/>
		<ExecutionProcessID="880"ThreadID="968"/>
		<Channel>System</Channel>
		<Computer>WKS10-01.hlab.com</Computer>
		<SecurityUserID="S-1-5-21-3829912423-625253200-3062624365-1105"/>
	</System>-
	<EventData>
		<DataName="ServiceName">Mynewservice</Data>
		<DataName="ImagePath">c:\temp\example.exe</Data>
		<DataName="ServiceType">usermodeservice</Data>
		<DataName="StartType">autostart</Data>
		<DataName="AccountName">LocalSystem</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044