EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4697Audit SuccessSecurityT1543.003

Windows Event ID 4697Service Installed in Service Control Manager

Logged in the Security log when a new service is installed in the Service Control Manager. Complements System log Event ID 7045 — both events fire for the same service installation but are written to different logs and captured by different audit policies. 4697 requires 'Audit Security System Extension' to be enabled; 7045 requires System log auditing.

MITRE ATT&CK

Technique

T1543.003 · Windows Service

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Services are one of the most durable persistence mechanisms on Windows — they survive reboots, run as SYSTEM or high-privilege accounts by default, and can be configured to restart automatically on failure. Attackers and post-exploitation frameworks (Metasploit, Impacket's psexec.py, Cobalt Strike) install services to execute payloads, establish C2 communication, and maintain access. PsExec creates a service named PSEXESVC to execute remote commands. Metasploit's psexec module generates random 4-character service names. Legitimate service installations from enterprise software always have known paths under Program Files or Windows — anything in Temp, AppData, ProgramData, or a user home directory is almost certainly malicious.

Key Fields

Service NameThe internal SCM name — random strings (4–8 random characters = Metasploit/psexec.py pattern), names mimicking Windows services (WindowsUpdate, WinDefend2, Spooler_svc), or PSEXESVC (PsExec remote execution) are suspicious
Service File NameThe full command line for the service binary — the most important field. Legitimate services run from C:\Windows\ or C:\Program Files\. Red flags: C:\Windows\Temp\, C:\Users\, AppData\, ProgramData\, UNC paths (\\attacker\share\payload.exe), cmd.exe /c or powershell.exe -enc embedded as the service command
Service TypeThe service type — 0x10 = own process (standard executable); 0x20 = shared process; 0x110 = interactive own process (deprecated, unusual). Kernel driver services (0x1, 0x2) from unexpected sources indicate rootkit installation
Service Start Type0x2 = Auto (starts at boot — high persistence); 0x3 = Manual; 0x4 = Disabled. Attackers prefer Auto for maximum persistence
Subject Account NameWho installed the service — SYSTEM, a known deployment account, or an IT management tool are expected. A standard user account, a service account not involved in software deployment, or an unexpected domain account is suspicious

Investigation Tips

  1. 1.Path is the fastest triage signal: legitimate enterprise services run from C:\Windows\, C:\Program Files\, or C:\Program Files (x86)\. Any 4697 with a Service File Name pointing to C:\Windows\Temp\, C:\Users\, AppData\, or a network UNC path is almost certainly malicious — escalate immediately.
  2. 2.PsExec pattern: Service Name = PSEXESVC, Service File Name = C:\Windows\PSEXESVC.exe. This is PsExec's remote execution mechanism — legitimate admin use is possible, but unexpected occurrences (especially from non-admin workstations or at unusual hours) should be investigated.
  3. 3.Metasploit/psexec.py pattern: random 4-8 character Service Name (e.g. XkBp, mnOQ), Service File Name often pointing to a UNC path or Temp directory, short-lived (service created, used, deleted within seconds). Alert on any service with a random-looking name.
  4. 4.Command-embedded services: Service File Name containing cmd.exe /c, powershell.exe -EncodedCommand, or wscript.exe indicates the 'service' is actually a command execution wrapper — the attacker is running a command disguised as a service.
  5. 5.Correlate with 4688: the process that called CreateService() to install the service will appear in 4688 events shortly before the 4697. This shows the attack chain — what executed to install the service.
  6. 6.Service Start Type 0x2 (Auto-start) in a suspicious path = durable persistence that survives reboots. Treat this as a critical finding requiring immediate isolation of the affected host.

Related Event IDs

7045New service installed — System log equivalent; check both logs as audit policies differ
4688Process creation — the process that called CreateService() to install this service
4624Logon event — correlate Subject Logon ID to establish who installed the service and from where
1102Audit log cleared — attackers often clear logs after installing a service for persistence

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4697

See Event ID 4697 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects service installed in service control manager patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →