EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 7045Event ID 7036Event ID 4688T1543.003high

Malicious Service Installation — Persistence via Windows Services

Windows services run continuously in the background, start automatically at boot, and often execute under SYSTEM or LocalService context. Attackers install malicious services for persistent code execution that survives reboots, is hidden from standard process listings, and runs with elevated privileges without triggering UAC.

Severity

High

ATT&CK Tactic

Persistence

Common attacker usage

Installing malware as a Windows service for persistent execution · Deploying PsExec or remote tools by registering them as temporary services · Using sc.exe, services.msc, or direct registry writes to install services · Replacing legitimate service binaries with malicious ones (service hijacking) · Creating services with names resembling legitimate Windows services to avoid detection

Investigate immediately if

  • !Service binary path points to %TEMP%, %APPDATA%, or a non-standard location
  • !Service name closely mimics a known Windows service but with subtle differences
  • !Service installed outside of normal business hours or patch windows
  • !Service is set to run as LocalSystem when no elevated execution is expected
  • !Service installed remotely (correlate with 4648 or 5140 from a different host)

MITRE ATT&CK

Technique

T1543.003 · Windows Service

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

Event ID 7045 is one of the highest-fidelity persistence indicators in Windows event logs. Legitimate software rarely installs new services without corresponding IT change records. PsExec lateral movement generates PSEXESVC service entries. Ransomware families frequently install services before encrypting. The combination of 7045 followed by 7036 (service started) and 4688 (process created) provides a complete picture of malicious service lifecycle.

Indicators of Malicious Use

  • Service binary path in %TEMP%, %APPDATA%\Roaming, C:\Users\*, or Downloads
  • Service name: PSEXESVC, PAExec, RemCom, or single-character/random names
  • Service installed and started within seconds (7045 → 7036 rapid sequence)
  • Service binary that is not digitally signed or has a mismatched signer
  • New service with a Start Type of 'Auto' or 'Boot' to survive reboots
  • sc.exe or reg.exe in 4688 process creation logs around the same time

Example Log Entry

Log Name: System
Source:    Service Control Manager
Event ID:  7045

A new service was installed in the system.

Service Name:    WindowsDefenderCheck
Service File Name: C:\Users\jsmith\AppData\Roaming\svchost32.exe
Service Type:    Win32 Own Process
Service Start Type: Auto Start
Service Account:   LocalSystem

Investigation Steps

  1. 1.Check the service binary path — legitimate services live in System32, SysWOW64, or under Program Files with a valid code signature.
  2. 2.Verify the service binary hash against VirusTotal or your threat intel platform.
  3. 3.Check Event ID 4688 for sc.exe, services.exe, or reg.exe activity in the same time window.
  4. 4.Check 7036 to see when the service started — if within seconds of 7045, it was started immediately after install.
  5. 5.Check whether the service was installed remotely by correlating with 4648 (explicit credential logon) from a source IP.
  6. 6.Review all services installed in the past 24–72 hours: Get-WinEvent -FilterHashtable @{LogName='System';Id=7045;StartTime=(Get-Date).AddDays(-3)}
  7. 7.Check the service's parent process and the credentials used to install it.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • Legitimate software installers registering new services (antivirus, backup agents, VPN clients)
  • Windows Updates installing new services during patch cycles
  • IT management agents (SCCM client, monitoring tools) installing services
  • Authorized administrative use of PsExec for remote management

Remediation

  • Stop and delete the malicious service: sc stop <name> && sc delete <name>
  • Remove the service binary from disk and run a full AV scan.
  • Check the registry for persistence: HKLM\SYSTEM\CurrentControlSet\Services\<name>
  • Rotate credentials for any account used to install the service.
  • Enable Service Control Manager auditing to catch future service installs in real time.
  • Consider using Windows Defender Application Control (WDAC) to restrict which binaries can run as services.

Related Event IDs

7036Service state changed — the service starting after install
4688Process creation — sc.exe or the service binary itself executing
4648Explicit credential logon — service installed remotely using another account
7034Service crashed — unstable malicious services often crash shortly after start

Related Detection Guides

Scheduled Task AbuseWMI PersistenceAccount-Based PersistenceRegistry Run Key PersistenceLateral MovementPsExec & Remote ExecutionPrivilege EscalationEvent ID 7045 — Suspicious Service Installed

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →