Windows Security Log Event ID 601

Operating Systems Windows 2003 and XP
CategoryProcess Tracking
Type Success
Corresponding events
in Windows 2008
and Vista

601: Attempt to install service

On this page

A new service was installed by the indicated user and domain.

Service Name: the internal system name of the new service.Use "sc query" to get a cross reference of service names and their more familiar display names.

Service Type:

Service Start Type:

Service Account: this is the account that the service runs under.

User Name and Domain identify the user who installed the service.

While this event only monitors new services, you can audit existing service related events such as starts, stops and modifications with the Object Access category. To enable auditing on a service you can use a Security Template or the subinacl (resource kit) command.

Free Security Log Resources by Randy

Description Fields in 601

  • Service Name:
  • Service File Name:
  • Service Type:
  • Service Start Type:
  • Service Account:
  • User Name:
  • Domain:
  • Logon ID:

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 601

Attempt to install service:
Service Name:SNMPTRAP
Service File Name:%SystemRoot%\system32\snmptrap.exe
Service Type:16
Service Start Type:3
Service Account:NT AUTHORITY\LocalService
User Name:administrator
Logon ID:(0x0,0x158EB7)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources