SOC Event Lookup
Event ID 4697ServiceP1

Windows Event ID 4697: A service was installed in the system

Windows Security Event ID 4697 records installation of a service and is a high-value signal for persistence and remote execution.

Applicable version
Windows Server 2016 and later; Windows 10 and later
Last reviewed
2026-07-10

Trigger Scenarios

The event is generated when a new service is installed and Security System Extension auditing is enabled.

Key Fields

Service Name

The installed service identifier. Names that imitate legitimate services require careful validation.

Service File Name

The binary path and arguments used by the service. Writable paths, UNC paths, and suspicious command lines are important indicators.

Subject

The account that installed the service. Correlate it with remote logon and process telemetry.

Common False Positives

  • Software installation, patching, EDR, and management systems routinely install services.
  • Administrators may install services during maintenance windows.

Related Events

MITRE ATT&CK Mapping

  • T1543.003Create or Modify System Process: Windows Service
  • T1021.002Remote Services: SMB/Windows Admin Shares

Detection Notes

T1543.003 Windows Service persistence is indicated when Service File Name points to a user-writable path, UNC path, or contains powershell.exe/cmd.exe, and Service Start Type is Auto start or Boot start. A service created after Type 3 SMB access is consistent with remote service execution.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4697
| project TimeGenerated, Computer, Account, ServiceName, ServiceFileName, ServiceType, StartType
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4697
| table _time, host, SubjectUserName, ServiceName, ServiceFileName, ServiceStartType
Sample Log
Service Name: UpdaterSvc
Service File Name: C:\Users\Public\updater.exe
Service Start Type: Auto start
Subject: CORP\admin.ops

Source