# Event ID 7045: Service Installed
This event, logged to the `System` channel, is produced when a new service is installed on the system.
## Analysis Value
{% content-ref url="../../../artifacts-by-activity/account-activity/security-identifier" %}
[security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier)
{% endcontent-ref %}
{% content-ref url="../../../artifacts-by-activity/file-activity/file-path" %}
[file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path)
{% endcontent-ref %}
## Operating System Availability
| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11 | ✅ | Server 2019 | ✅ |
| Windows 10 | ✅ | Server 2016 | ✅ |
| Windows 8 | ✅ | Server 2012 | ✅ |
| Windows 7 | ✅ | Server 2008 | ✅ |
| Windows Vista | ✅ | Server 2003 | ❌ |
| Windows XP | ❌ | | |
## Artifact Location(s)
* `%SystemRoot%\System32\Winevt\Logs\System.evtx`
## Artifact Interpretation
| Field | Interpretation | Reference |
| ------------------------ | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| `System/Security/UserID` | This field provides the SID of the account that installed the new service. | [security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier "mention") |
| `EventData/ImagePath` | This field provides the full path to the executable that will be run when the new service is started. | [file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path "mention") |
{% hint style="info" %}
There is no indication from this event alone that it was installed locally on the system itself, and services may be installed remotely leveraging utilities such as `sc.exe`. In the event that the new service was installed remotely, as [evtx-4624-successful-logon](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon "mention") event may be logged before the new service is installed with a `LogonType` of 3.
{% endhint %}
## Example
In the following example, the following command was executed on a domain controller:
```
sc.exe \\WKS10-01 create mynewservice binpath= c:\temp\example.exe start= auto displayname= "My new service"
```
This installed a new service on the system WKS10-01, generating the following [evtx-4624-successful-logon](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon "mention") event:
```
-
-
4624
2
0
12544
0
0x8020000000000000
9719
Security
WKS10-01.hlab.com
-
S-1-0-0
-
-
0x0
S-1-5-21-3829912423-625253200-3062624365-1105
mvanburanadm
HLAB0xe4d79
3
NtLmSsp
NTLM
HLDC01-WS2K19
{00000000-0000-0000-0000-000000000000}
-
NTLMV2
128
0x0
-
172.16.100.10
49757
%%1833
-
-
-
%%1843
0x0
%%1842
```
As well as the following [evtx-7045-service-install](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install "mention") event in the `System` channel:
```
-
-
7045
0
4
0
0
0x8080000000000000
1033
System
WKS10-01.hlab.com
-
Mynewservice
c:\temp\example.exe
usermodeservice
autostart
LocalSystem
```
This example was produced on Windows 10, Version 10.0.19044 Build 19044