System Event Log (Service Installation)

windowsPersistence MechanismsDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\System.evtx

Description

System event log capturing Event ID 7045 for new service installations, recording the service name, binary path, service type, and start type. Also captures Event 7034 (crash) and 7040 (start type change).

Forensic Value

Event 7045 detects attacker tool deployment via service creation, which is the mechanism used by PsExec, Cobalt Strike, Metasploit, and many ransomware variants. The ImagePath field reveals the exact binary or command line executed as SYSTEM. Services with random names, paths to temp directories, or encoded PowerShell commands are high-confidence indicators. Correlating service installation timestamps with lateral movement events builds the attack progression timeline.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical