Event ID 7045 — New Service Installed

MITRE ATT&CK

Security Relevance

Installing a malicious service gives an attacker persistent, high-privileged code execution that survives reboots and is harder to detect than scheduled tasks or registry autoruns. Ransomware, RATs, and many APT toolkits use service installation as their primary persistence mechanism.

Example Log Entry

Log Name: System
Source:    Service Control Manager
Event ID:  7045
Level:     Information

A new service was installed in the system.

Service Name:  WindowsDefenderUpdate
Service File Name: C:\Windows\Temp\svc_host32.exe
Service Type:  user mode service
Service Start Type: auto start
Service Account: LocalSystem

Investigation Steps

1. 1.Check the service binary path — legitimate services are rarely in Temp, AppData, or user-writable directories.
2. 2.Compare the service name against known-good services — attackers use names like 'WindowsUpdate' or 'SvcHost' to blend in.
3. 3.Check the service account — LocalSystem is a red flag for newly installed third-party services.
4. 4.Look at the service start type — 'auto start' ensures persistence across reboots.
5. 5.Hash the binary and check against VirusTotal or your threat intelligence platform.
6. 6.Identify who installed the service — cross-reference the timestamp with logon events.

Remediation

• ✓Stop and disable the suspicious service immediately: sc stop <name> && sc delete <name>
• ✓Remove the malicious binary from disk.
• ✓Scan the system with an up-to-date AV/EDR tool.
• ✓Audit all installed services using: sc query type= all state= all
• ✓Review who has permission to install services and restrict via Group Policy if needed.
• ✓Investigate how the attacker gained access to install the service in the first place.

Related Event IDs

Related Detection Guides