Event ID 7045: Service Installed
Last updated
Last updated
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
%SystemRoot%\System32\Winevt\Logs\System.evtx
System/Security/UserID
This field provides the SID of the account that installed the new service.
EventData/ImagePath
This field provides the full path to the executable that will be run when the new service is started.
In the following example, the following command was executed on a domain controller:
This installed a new service on the system WKS10-01, generating the following EventID 4624: An account was successfully logged on event:
As well as the following Event ID 7045: Service Installed event in the System channel:
This example was produced on Windows 10, Version 10.0.19044 Build 19044
sc.exe \\WKS10-01 create mynewservice binpath= c:\temp\example.exe start= auto displayname= "My new service"-
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">-
<System>
<ProviderName="Microsoft-Windows-Security-Auditing"Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"/>
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreatedSystemTime="2023-05-08T22:04:15.0931035Z"/>
<EventRecordID>9719</EventRecordID>
<CorrelationActivityID="{96cea955-81f8-0004-8ea9-ce96f881d901}"/>
<ExecutionProcessID="900"ThreadID="3128"/>
<Channel>Security</Channel>
<Computer>WKS10-01.hlab.com</Computer>
<Security/>
</System>-
<EventData>
<DataName="SubjectUserSid">S-1-0-0</Data>
<DataName="SubjectUserName">-</Data>
<DataName="SubjectDomainName">-</Data>
<DataName="SubjectLogonId">0x0</Data>
<DataName="TargetUserSid">S-1-5-21-3829912423-625253200-3062624365-1105</Data>
<DataName="TargetUserName">mvanburanadm</Data>
<DataName="TargetDomainName">HLAB</Data><DataName="TargetLogonId">0xe4d79</Data>
<DataName="LogonType">3</Data>
<DataName="LogonProcessName">NtLmSsp</Data>
<DataName="AuthenticationPackageName">NTLM</Data>
<DataName="WorkstationName">HLDC01-WS2K19</Data>
<DataName="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<DataName="TransmittedServices">-</Data>
<DataName="LmPackageName">NTLMV2</Data>
<DataName="KeyLength">128</Data>
<DataName="ProcessId">0x0</Data>
<DataName="ProcessName">-</Data>
<DataName="IpAddress">172.16.100.10</Data>
<DataName="IpPort">49757</Data>
<DataName="ImpersonationLevel">%%1833</Data>
<DataName="RestrictedAdminMode">-</Data>
<DataName="TargetOutboundUserName">-</Data>
<DataName="TargetOutboundDomainName">-</Data>
<DataName="VirtualAccount">%%1843</Data>
<DataName="TargetLinkedLogonId">0x0</Data>
<DataName="ElevatedToken">%%1842</Data>
</EventData>
</Event>-
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">-
<System>
<ProviderName="ServiceControlManager"Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}"EventSourceName="ServiceControlManager"/>
<EventIDQualifiers="16384">7045
</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreatedSystemTime="2023-05-08T22:04:15.0831494Z"/>
<EventRecordID>1033</EventRecordID>
<Correlation/>
<ExecutionProcessID="880"ThreadID="968"/>
<Channel>System</Channel>
<Computer>WKS10-01.hlab.com</Computer>
<SecurityUserID="S-1-5-21-3829912423-625253200-3062624365-1105"/>
</System>-
<EventData>
<DataName="ServiceName">Mynewservice</Data>
<DataName="ImagePath">c:\temp\example.exe</Data>
<DataName="ServiceType">usermodeservice</Data>
<DataName="StartType">autostart</Data>
<DataName="AccountName">LocalSystem</Data>
</EventData>
</Event>✅
Windows Vista
✅
Server 2003
❌
Windows XP
❌