Windows System Event: 4697

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

System Event » Windows System Event: 4697

Event ID 4697: A service was installed in the system.

Description This event generates when new service was installed in the system.
Category System
Subcategory Security system extension

This event logs the following information

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
  • Service name
  • Service file name
  • Service type
  • Service start type
  • Service account

Reasons to monitor this event:

  • We recommend monitoring for this event, especially on high value assets or computers, because a new service installation should be planned and expected. Unexpected service installation should trigger an alert.
  • Monitor for all events where “Service File Name” is not located in %windir% or “Program Files/Program Files (x86)” folders. Typically new services are located in these folders.
  • Report all “Service Type” equals “0x1”, “0x2” or “0x8”. These service types start first and have almost unlimited access to the operating system from the beginning of operating system startup. These types are very rarely installed.
  • Report all “Service Start Type” equals “0” or “1”. These service start types are used by drivers, which have unlimited access to the operating system.
  • Report all “Service Start Type” equals “4”. It is not common to install a new service in the Disabled state.
  • Report all “Service Account” not equals “localSystem”, “localService” or “networkService” to identify services which are running under a user account.

Pro tips:

  • ADAudit Plus offers process tracking reports that can log all attempts to install a service.
  • The reports contain the type of service, the file in which this service was started, along with details about how it started.
  • With the help of ADAudit Plus, you can find out who installed a service on any Server in the domain, along with details about which domain controller they installed it on and when they installed it.

Event 4697 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10