EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 7045InformationSystemT1543.003

Windows Event ID 7045New Service Installed

Logged when a new service is installed on the system. The System log equivalent of Security Event 4697.

MITRE ATT&CK

Technique

T1543.003 · Windows Service

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Service installation is a primary persistence technique. Malware frequently installs itself as a service to survive reboots. Suspicious service names, binary paths in user-writable directories, and services using cmd.exe or PowerShell are key indicators.

Key Fields

Service NameThe internal service identifier — random strings or typosquat names are suspicious
Service File NameBinary path — anything outside C:\Windows or C:\Program Files warrants scrutiny
Service TypeKernel driver vs user-mode service — kernel drivers have highest privilege
Service Start TypeAuto-start services persist across reboots
Service AccountLocalSystem is most privileged; unusual accounts are suspicious

Investigation Tips

  1. 1.Service binaries in C:\Users, C:\Temp, C:\ProgramData, or C:\Windows\Temp are almost always malicious.
  2. 2.Services with command-line embedded in the binary path (e.g. cmd.exe /c powershell.exe ...) are classic persistence.
  3. 3.Cross-reference with 4697 (Security log) for the account that installed it.

Related Event IDs

4697Service installed — Security log version
7034Service crashed — may be a poorly written implant
7036Service state changes after installation

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 7045

See Event ID 7045 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects new service installed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →