Event ID 4697: A service was installed in the system.
|Description||This event generates when new service was installed in the system.|
|Subcategory||Security system extension|
This event logs the following information
Reasons to monitor this event:
- We recommend monitoring for this event, especially on high value assets or computers, because a new service installation should be planned and expected. Unexpected service installation should trigger an alert.
- Monitor for all events where “Service File Name” is not located in %windir% or “Program Files/Program Files (x86)” folders. Typically new services are located in these folders.
- Report all “Service Type” equals “0x1”, “0x2” or “0x8”. These service types start first and have almost unlimited access to the operating system from the beginning of operating system startup. These types are very rarely installed.
- Report all “Service Start Type” equals “0” or “1”. These service start types are used by drivers, which have unlimited access to the operating system.
- Report all “Service Start Type” equals “4”. It is not common to install a new service in the Disabled state.
- Report all “Service Account” not equals “localSystem”, “localService” or “networkService” to identify services which are running under a user account.
- ADAudit Plus offers process tracking reports that can log all attempts to install a service.
- The reports contain the type of service, the file in which this service was started, along with details about how it started.
- With the help of ADAudit Plus, you can find out who installed a service on any Server in the domain, along with details about which domain controller they installed it on and when they installed it.
Event 4697 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10