Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
• Security System Extension
A service was installed in the system
On this page
A new service was installed by the user indicated in the subject. Subject often identifies the local system (SYSTEM) for services installed as part of native Windows components and therefore you can't determine who actually initiated the installation.
This is a key change control event as new services are significant extensions of the software running on a server and the roles it performs.
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- Service Name: the internal system name of the new service.Use "sc query" to get a cross reference of service names and their more familiar display names. Service Name: The short system name of the serviceSerfice File Name: Executable and parameters used to start the serviceService Type:
||File system driver service
||Service that runs in its own process
||Service that shares a process with one or more other services
|Same as 0x10 but allowed to interact with desktop
|Same as 0x20 but allowed to interact with desktop
- Service Start Type:
||A device driver started by the system loader. This value is valid only for driver services
||A device driver started by the IoInitSystem function. This value is valid only for driver services
||A service started automatically by the service control manager during system startup
- Service Account: this is the account that the service runs under. While this event only monitors new services, you can audit existing service related events such as starts, stops and modifications with the Object Access category. To enable auditing on a service you can use a Security Template or the subinacl (resource kit) command.
Top 10 Windows Security Events to Monitor
A service was installed in the system.
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Service Name: simptcp
Service File Name: %SystemRoot%\System32\tcpsvcs.exe
Service Type: 0x20
Service Start Type: 2
Service Account: NT AUTHORITY\LocalService
Keep me up-to-date on the Windows Security Log.
*We will NOT share this