ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs with Event ID 4697 service installation events on a SOC monitoring dashboard
Event ID 4697InformationSecurity-AuditingWindows

Windows Event ID 4697 – Security-Auditing: A Service Was Installed on the System

Event ID 4697 fires when a new Windows service is installed on the system. This security audit event helps track service installations for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4697Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4697 represents a critical security audit point that tracks service installations across Windows systems. When Windows detects a new service being registered in the Service Control Manager (SCM), it generates this event to provide administrators with visibility into system modifications that could impact security posture.

The event contains comprehensive details about the installed service, including the service name, display name, executable path, service type (kernel driver, file system driver, Win32 service, etc.), start type (automatic, manual, disabled), and the security context under which the service will run. This information proves invaluable when investigating potential security incidents or conducting compliance audits.

In modern Windows environments, this event has become increasingly important due to the prevalence of advanced persistent threats (APTs) and malware that leverage service installation for persistence. Attackers often install malicious services to maintain access to compromised systems, making Event ID 4697 a key indicator for security operations centers (SOCs) and incident response teams.

The event also captures legitimate administrative activities, such as software installations, Windows updates, and system maintenance tasks that require service creation. This dual nature makes proper filtering and analysis crucial for effective security monitoring without overwhelming administrators with false positives.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Installation of new software applications that include Windows services
  • Manual service creation using sc.exe command-line tool
  • PowerShell service creation using New-Service cmdlet
  • Windows Update installing system services or drivers
  • Third-party software installers registering background services
  • Malware or potentially unwanted programs (PUPs) installing persistence mechanisms
  • System administrators deploying enterprise software with service components
  • Device driver installations that register as kernel services
  • Group Policy-driven software deployment creating services
  • Remote service installation via WMI or PowerShell remoting
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4697 to understand what service was installed and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4697 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4697 entries to examine details
  6. Review key fields in the event details:
    • Subject: Shows the user account that installed the service
    • Service Name: The internal service name
    • Service File Name: Full path to the service executable
    • Service Type: Type of service (Win32, kernel driver, etc.)
    • Service Start Type: How the service starts (automatic, manual, disabled)
  7. Cross-reference suspicious service paths with known malware indicators
  8. Document any services installed from unusual locations like temp directories or user profiles
Pro tip: Pay special attention to services installed from %TEMP%, %APPDATA%, or other user-writable locations, as these often indicate malicious activity.
02

Query Events Using PowerShell

Use PowerShell to programmatically query and analyze Event ID 4697 across multiple systems or time periods.

  1. Open PowerShell as Administrator
  2. Query recent service installation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed service information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ServiceName = $Event.Event.EventData.Data[5].'#text'
        ServiceFileName = $Event.Event.EventData.Data[6].'#text'
        ServiceType = $Event.Event.EventData.Data[7].'#text'
        ServiceStartType = $Event.Event.EventData.Data[8].'#text'
        ServiceAccount = $Event.Event.EventData.Data[9].'#text'
        InstalledBy = $Event.Event.EventData.Data[1].'#text'
    }
}
  5. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} | Export-Csv -Path "C:\Temp\ServiceInstalls.csv" -NoTypeInformation
Warning: Large environments may generate thousands of these events. Use appropriate time filters to avoid performance issues.
03

Investigate Service Legitimacy

Verify whether installed services are legitimate by examining their properties and digital signatures.

  1. List all services and their executable paths:
    Get-WmiObject -Class Win32_Service | Select-Object Name, DisplayName, PathName, StartMode, State | Sort-Object Name
  2. Check digital signatures of service executables:
    Get-WmiObject -Class Win32_Service | ForEach-Object {
    $ServicePath = $_.PathName -replace '"', '' -split ' ' | Select-Object -First 1
    if (Test-Path $ServicePath) {
        $Signature = Get-AuthenticodeSignature -FilePath $ServicePath
        [PSCustomObject]@{
            ServiceName = $_.Name
            ExecutablePath = $ServicePath
            SignatureStatus = $Signature.Status
            SignerCertificate = $Signature.SignerCertificate.Subject
        }
    }
}
  3. Examine service properties in Services console:
    • Open services.msc
    • Locate the service mentioned in Event ID 4697
    • Right-click and select Properties
    • Review the General, Log On, and Dependencies tabs
    • Check if the service runs under a privileged account
  4. Verify service executable location and properties:
    $ServiceName = "SuspiciousService"
$Service = Get-WmiObject -Class Win32_Service -Filter "Name='$ServiceName'"
$ExecutablePath = $Service.PathName -replace '"', '' -split ' ' | Select-Object -First 1
Get-ItemProperty -Path $ExecutablePath | Select-Object Name, VersionInfo, CreationTime, LastWriteTime
  5. Cross-reference with threat intelligence databases or submit suspicious files to VirusTotal
04

Configure Advanced Auditing and Monitoring

Set up comprehensive monitoring to track service installations across your environment proactively.

  1. Enable advanced security auditing via Group Policy:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand System Audit PoliciesSystem
    • Configure Audit Security System Extension to Success and Failure
  2. Create custom Event Viewer views for service monitoring:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Set Event level to Information, Warning, and Error
    • Enter 4697 in Event IDs field
    • Name the view "Service Installations" and save
  3. Set up PowerShell-based monitoring script:
    # Create monitoring script
$ScriptContent = @'
Register-WmiEvent -Query "SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2" -Action {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} -MaxEvents 1 | ForEach-Object {
        $Event = [xml]$_.ToXml()
        $ServiceName = $Event.Event.EventData.Data[5].'#text'
        $ServicePath = $Event.Event.EventData.Data[6].'#text'
        Write-EventLog -LogName Application -Source "ServiceMonitor" -EventId 1001 -EntryType Information -Message "New service installed: $ServiceName at $ServicePath"
    }
}
'@
$ScriptContent | Out-File -FilePath "C:\Scripts\ServiceMonitor.ps1"
  4. Configure Windows Event Forwarding (WEF) for centralized collection:
    • Run wecutil qc on collector server
    • Create subscription configuration file
    • Configure source computers to forward security events
  5. Implement SIEM integration for automated alerting on suspicious service installations
Pro tip: Consider implementing application whitelisting solutions like Windows Defender Application Control (WDAC) to prevent unauthorized service installations entirely.
05

Forensic Analysis and Incident Response

Perform detailed forensic analysis when Event ID 4697 indicates potential security incidents.

  1. Collect comprehensive event correlation data:
    # Gather related security events around service installation time
$ServiceInstallTime = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} -MaxEvents 1).TimeCreated
$StartTime = $ServiceInstallTime.AddMinutes(-30)
$EndTime = $ServiceInstallTime.AddMinutes(30)

# Collect related events
$RelatedEvents = @(4688, 4689, 4624, 4625, 4648, 4672, 4698, 4699, 4700, 4701, 4702)
$RelatedEvents | ForEach-Object {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$_; StartTime=$StartTime; EndTime=$EndTime} -ErrorAction SilentlyContinue
} | Sort-Object TimeCreated
  2. Analyze process creation events leading to service installation:
    # Find process creation events that may have led to service installation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {
    $_.Message -match "sc.exe|powershell.exe|cmd.exe|msiexec.exe"
}
  3. Examine registry changes related to service installation:
    • Check HKLM\SYSTEM\CurrentControlSet\Services for the new service key
    • Review service parameters and configuration
    • Look for unusual registry permissions or ownership
  4. Perform file system analysis:
    # Analyze service executable and related files
$ServiceExecutable = "C:\Path\To\Service.exe"
Get-ItemProperty -Path $ServiceExecutable | Select-Object *
Get-FileHash -Path $ServiceExecutable -Algorithm SHA256

# Check for additional files in the same directory
Get-ChildItem -Path (Split-Path $ServiceExecutable) -Recurse | Select-Object Name, CreationTime, LastWriteTime, Length
  5. Document findings and create incident timeline:
    • Correlate all events with user activities and system changes
    • Identify the attack vector and persistence mechanism
    • Determine scope of compromise and affected systems
    • Prepare remediation plan including service removal and system hardening
  6. Preserve evidence for potential legal proceedings:
    # Export all related events to EVTX format for preservation
wevtutil epl Security C:\Evidence\Security_$(Get-Date -Format 'yyyyMMdd_HHmmss').evtx "/q:*[System[EventID=4697]]"

# Create forensic image of service executable
Copy-Item -Path $ServiceExecutable -Destination "C:\Evidence\" -Force
Warning: During incident response, avoid running suspicious service executables or modifying system state until proper evidence collection is complete.

Overview

Event ID 4697 is a security audit event that fires whenever a new Windows service gets installed on the system. This event appears in the Security log and provides detailed information about the service installation, including the service name, file path, service type, and the account that performed the installation.

This event is particularly valuable for security teams and system administrators who need to track service installations across their environment. Since malicious software often installs itself as a Windows service to maintain persistence, monitoring Event ID 4697 helps detect unauthorized service installations that could indicate compromise or policy violations.

The event fires regardless of whether the service installation was performed through legitimate administrative tools like sc.exe, PowerShell cmdlets, or third-party installers. It captures both interactive installations and automated deployments, making it essential for maintaining an audit trail of system changes in enterprise environments.

Frequently Asked Questions

What does Event ID 4697 mean and why is it important for security?+
Event ID 4697 indicates that a new Windows service has been installed on the system. This event is crucial for security because malicious software often installs itself as a Windows service to maintain persistence on compromised systems. By monitoring these events, security teams can detect unauthorized service installations that may indicate malware infections, insider threats, or policy violations. The event provides detailed information about the service name, executable path, and the account that performed the installation, making it valuable for forensic analysis and compliance auditing.
How can I distinguish between legitimate and malicious service installations in Event ID 4697?+
To distinguish between legitimate and malicious service installations, examine several key indicators: First, check the service executable path - legitimate services typically install to standard locations like System32 or Program Files, while malicious services often use temp directories or user profiles. Second, verify digital signatures using PowerShell's Get-AuthenticodeSignature cmdlet - legitimate services should be signed by trusted publishers. Third, correlate the installation time with known administrative activities or software deployments. Fourth, examine the installing user account - services installed by system accounts during updates are usually legitimate, while those installed by regular users may warrant investigation. Finally, cross-reference the service name and executable with threat intelligence databases.
Can Event ID 4697 be generated by Windows updates or legitimate software installations?+
Yes, Event ID 4697 is commonly generated by legitimate activities including Windows updates, software installations, and administrative tasks. Windows Update frequently installs new services for system components, security updates, and driver installations. Enterprise software deployments, antivirus installations, and system management tools also generate these events. To manage the volume of legitimate events, implement filtering based on known good software publishers, standard installation paths, and scheduled maintenance windows. Consider creating baseline documentation of expected service installations in your environment and focus monitoring on deviations from established patterns.
What PowerShell commands are most effective for analyzing Event ID 4697 across multiple systems?+
The most effective PowerShell approach combines Get-WinEvent with custom filtering and remote execution capabilities. Use 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697}' for basic queries, then enhance with XML parsing to extract specific service details. For multiple systems, leverage 'Invoke-Command -ComputerName @('Server1','Server2') -ScriptBlock {}' to execute queries remotely. Create custom objects to structure the output with properties like ServiceName, ServiceFileName, TimeCreated, and InstalledBy. Export results using 'Export-Csv' for analysis in Excel or SIEM tools. Consider using 'Register-WmiEvent' for real-time monitoring and automated alerting on suspicious service installations.
How should I configure auditing policies to ensure Event ID 4697 is properly logged?+
To ensure Event ID 4697 is properly logged, configure the 'Audit Security System Extension' policy under Advanced Audit Policy Configuration. Navigate to Group Policy Management Console, then Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → System. Set 'Audit Security System Extension' to 'Success and Failure' to capture both successful and failed service installations. Additionally, ensure the Security log has sufficient size (recommend at least 100MB) and appropriate retention settings. For enterprise environments, implement Windows Event Forwarding (WEF) to centralize these events on dedicated collector servers. Consider supplementing with 'Audit Process Creation' (Event ID 4688) to capture the processes that install services.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4697 and related service installation monitoring.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies to capture service installation events and other security-relevant activities.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4697#security-auditing#service-installation

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...