System Event Log (Service Installation)

Location

Description

System event log capturing Event ID 7045 for new service installations, recording the service name, binary path, service type, and start type. Also captures Event 7034 (crash) and 7040 (start type change).

Forensic Value

Event 7045 detects attacker tool deployment via service creation, which is the mechanism used by PsExec, Cobalt Strike, Metasploit, and many ransomware variants. The ImagePath field reveals the exact binary or command line executed as SYSTEM. Services with random names, paths to temp directories, or encoded PowerShell commands are high-confidence indicators. Correlating service installation timestamps with lateral movement events builds the attack progression timeline.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target EventLogs

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\System.evtx" --csv C:\output --csvf System.csv

Get-WinEvent -FilterHashtable @{LogName="System"; Id=7045} | Export-Csv C:\output\service_installs.csv

chainsaw hunt "C:\Windows\System32\winevt\Logs\System.evtx" -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References