Windows Security Log Event ID 4697

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
System
 • Security System Extension
Type Success
Corresponding events
in Windows 2003
and before
601  
Discussions on Event ID 4697
Regd: A Service was installed in the system.
Windows Server 2012 Security Log Event
cannot find service installed(4697) event not in security log

4697: A service was installed in the system

On this page

A new service was installed by the user indicated in the subject.  Subject often identifies the local system (SYSTEM) for services installed as part of native Windows components and therefore you can't determine who actually initiated the installation.

This is a key change control event as new services are significant extensions of the software running on a server and the roles it performs.

Free Security Log Resources by Randy

Description Fields in 4697

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Service Information:

  • Service Name: the internal system name of the new service.Use "sc query" to get a cross reference of service names and their more familiar display names. Service Name: The short system name of the serviceSerfice File Name:  Executable and parameters used to start the serviceService Type:

    Service Type   Description
    0x1 SERVICE_KERNEL_DRIVER Driver service
    0x2 SERVICE_FILE_SYSTEM_DRIVER File system driver service
    0x4 SERVICE_ADAPTER Reserved
    0x8 SERVICE_RECOGNIZER_DRIVER Reserved
    0x10 SERVICE_WIN32_OWN_PROCESS Service that runs in its own process
    0x20 SERVICE_WIN32_SHARE_PROCESS Service that shares a process with one or more other services
    0x110 SERVICE_INTERACTIVE_PROCESS
    SERVICE_WIN32_OWN_PROCESS
    Same as 0x10 but allowed to interact with desktop
    0x120 SERVICE_INTERACTIVE_PROCESS
    SERVICE_WIN32_SHARE_PROCESS
    Same as 0x20 but allowed to interact with desktop
  • Service Start Type:

    0 SERVICE_BOOT_START A device driver started by the system loader. This value is valid only for driver services
    1 SERVICE_SYSTEM_START A device driver started by the IoInitSystem function. This value is valid only for driver services
    2 SERVICE_AUTO_START A service started automatically by the service control manager during system startup
    3 SERVICE_DEMAND_START Manual startup
    4 SERVICE_DISABLED Disabled service
  • Service Account: this is the account that the service runs under. While this event only monitors new services, you can audit existing service related events such as starts, stops and modifications with the Object Access category. To enable auditing on a service you can use a Security Template or the subinacl (resource kit) command.

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4697

A service was installed in the system.

Subject:

Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Service Information:

Service Name: simptcp
Service File Name: %SystemRoot%\System32\tcpsvcs.exe
Service Type: 0x20
Service Start Type: 2
Service Account: NT AUTHORITY\LocalService

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources