Event ID 4697: a service was installed (and why it beats 7045)
The Security-log record of service installation — how 4697 differs from System 7045, the fields that expose malicious services and PsExec-style lateral movement, and why it's the more reliable of the two.
Service creation is a workhorse technique for both persistence and lateral movement (PsExec and its many clones install a temporary service to run a payload as SYSTEM). Most analysts reach for System log 7045 to catch it — but there is a second, often better record: Security Event ID 4697. Knowing both, and when each fires, closes a common blind spot.
4697 vs 7045
They record the same act from different subsystems:
| 7045 | 4697 | |
|---|---|---|
| Log | System | Security |
| Source | Service Control Manager | Security auditing |
| Always on? | Yes (default) | Needs Audit Security System Extension |
| Tampering | cleared with the System log | cleared with the Security log, but forwarded separately |
The practical upshot: check both. 7045 is on by default so it's usually present; 4697 requires auditing but, when enabled, lives in the Security log that you're already collecting and forwarding for logon analysis. An attacker who clears one log may leave the other intact.
Reading 4697
The high-value fields:
ServiceName— the service's name. Random strings, single characters, or names mimicking legitimate services are flags (PsExec-style tools often use random or tool-specific names likePSEXESVC).ServiceFileName— the command line / binary path. This is the payload, and the most important field: look forcmd.exe /c,powershell -enc, paths in%TEMP%/%ADMIN$%, or a binary copied toC:\Windows\with an odd name.ServiceType—0x10(own process) is typical; kernel drivers (0x1) installed as services are a BYOVD signal.ServiceStartType—auto startmeans persistence across reboots;demand startis more typical of run-once lateral movement.ServiceAccount— usuallyLocalSystemfor attacker services (they wantSYSTEM).SubjectUserName/SubjectLogonId— who installed it; tie to the logon.
The patterns to hunt
- PsExec-style lateral movement. A service installed by a network logon (4624 type 3), with a random
ServiceName,demandstart, running a command, then often removed shortly after. Frequently preceded by access to theADMIN$share (5140). - Persistence services.
autostart,ServiceFileNamepointing at a dropped binary or script — survives reboot. - Script-host / LOLBin payloads in
ServiceFileName—powershell,cmd /c,rundll32. - Driver services (
ServiceType 0x1) loading unsigned.sys— cross-check Code Integrity 3076/3077. - Install-then-delete around an activity window — run-and-clean lateral movement.
Correlate the lateral-movement chain
4624 type 3 network logon from another host (the source)
5140 ADMIN$ / IPC$ share accessed
4697 / 7045 service installed, ServiceFileName = the payload
4688 / Sysmon 1 the SYSTEM process the service spawned
That sequence — remote logon → admin share → service install → SYSTEM execution — is the classic remote-exec footprint. The source IP from the 4624 tells you where the operator came from; chain it with the lateral-movement guide.
Hunt checklist
- Check both 4697 (Security) and 7045 (System).
- Read
ServiceFileNamefor command lines, encoded payloads, and odd paths. - Flag random/short
ServiceNames,LocalSystemaccount, and driver-type services. - Correlate to the installing logon and to ADMIN$ access (5140).
- Look for install-then-delete and
auto-start persistence.
Load the Security (and System) logs in the browser parser, filter to 4697/7045, and read ServiceFileName. Full ID set in the cheat sheet.