{
	"id": "1c641c35-0e72-4e88-9387-41a64ea366b2",
	"created_at": "2026-04-06T00:10:39.372542Z",
	"updated_at": "2026-04-10T03:20:25.815389Z",
	"deleted_at": null,
	"sha1_hash": "19d339ecaec3fd704a35b7767efe25d449690c68",
	"title": "4697(S) A service was installed in the system. - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120691,
	"plain_text": "4697(S) A service was installed in the system. - Windows 10\nBy vinaypamnani-msft\nArchived: 2026-04-05 15:44:56 UTC\nSubcategory: Audit Security System Extension\nEvent Description:\nThis event generates when new service was installed in the system.\nNote For recommendations, see Security Monitoring Recommendations for this event.\nEvent XML:\n- - 46970012289 https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\nPage 1 of 7\n\n00x80200000000000002778SecurityWIN-GG82ULGC9GO.contoso.local - S-1-5-18 WIN-GG82ULGC9GO$ CONTOSO 0x3e7 AppHostSvc %windir%\\\\system32\\\\svchost.exe -k apphost 0x20 2 localSystem Required Server Roles: None.\nMinimum OS Version: Windows Server 2016, Windows 10.\nEvent Versions: 0.\nField Descriptions:\nSubject:\nSecurity ID [Type = SID]: SID of account that was used to install the service. Event Viewer automatically\ntries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source\ndata in the event.\nNote A security identifier (SID) is a unique value of variable length used to identify a trustee (security\nprincipal). Each account has a unique SID that is issued by an authority, such as an Active Directory\ndomain controller, and stored in a security database. Each time a user logs on, the system retrieves the\nSID for that user from the database and places it in the access token for that user. The system uses the\nSID in the access token to identify the user in all subsequent interactions with Windows security. When\na SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify\nanother user or group. For more information about SIDs, see Security identifiers.\nAccount Name [Type = UnicodeString]: the name of the account that was used to install the service.\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\nPage 2 of 7\n\nAccount Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include\r\nthe following:\r\nDomain NETBIOS name example: CONTOSO\r\nLowercase full domain name: contoso.local\r\nUppercase full domain name: CONTOSO.LOCAL\r\nFor some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,\r\nthe value of this field is “NT AUTHORITY”.\r\nFor local user accounts, this field will contain the name of the computer or device that this account\r\nbelongs to, for example: “Win81”.\r\nLogon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events\r\nthat might contain the same Logon ID, for example, “4624: An account was successfully logged on.”\r\nService Information:\r\nService Name [Type = UnicodeString]: the name of installed service.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\r\nPage 3 of 7\n\nService File Name [Type = UnicodeString]: This is the fully rooted path to the file that the Service Control\r\nManager will execute to start the service. If command-line parameters are specified as part of the image\r\npath, those are logged.\r\nNote that this is the path to the file when the service is created. If the path is changed afterwards, the\r\nchange is not logged. This would have to be tracked via Process Create events.\r\nService Type [Type = HexInt32]: Indicates the type of service that was registered with the Service Control\r\nManager. It can be one of the following:\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\r\nPage 4 of 7\n\nValue\r\nService\r\nType\r\nDescription\r\n0x1\r\nKernel\r\nDriver\r\nA Kernel device driver such as a hard disk or other low-level hardware device driver.\r\n0x2\r\nFile System\r\nDriver\r\nA file system driver, which is also a Kernel device driver.\r\n0x8\r\nRecognizer\r\nDriver\r\nA file system driver used during startup to determine the file systems present on the\r\nsystem.\r\n0x10\r\nWin32\r\nOwn\r\nProcess\r\nA Win32 program that can be started by the Service Controller and that obeys the\r\nservice control protocol. This type of Win32 service runs in a process by itself (this\r\nis the most common).\r\n0x20\r\nWin32\r\nShare\r\nProcess\r\nA Win32 service that can share a process with other Win32 services.\r\n(see: https://msdn.microsoft.com/library/windows/desktop/ms685967(v=vs.85).aspx\r\n0x110\r\nInteractive\r\nOwn\r\nProcess\r\nA service that should be run as a standalone process and can communicate with the\r\ndesktop.\r\n(see:\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms683502(v=vs.85).aspx)\r\n0x120\r\nInteractive\r\nShare\r\nProcess\r\nA service that can share address space with other services of the same type and can\r\ncommunicate with the desktop.\r\nService Start Type [Type = HexInt32]: The service start type can have one of the following values (see:\r\nhttps://msdn.microsoft.com/library/windows/desktop/ms682450(v=vs.85).aspx):\r\nValue Service Type Description\r\n0 Boot\r\nA device driver started by the system loader. This value is valid only for driver\r\nservices.\r\n1 System\r\nA device driver started by the IoInitSystem() function. This value is valid only for\r\ndriver services.\r\n2Automatic\r\nA service started automatically by the service control manager during system\r\nstartup.\r\n2\r\nAutomatic\r\nDelayed\r\nA service started after all auto-start services have started, plus a delay. Delayed\r\nAuto Start services are started one at a time in a serial fashion.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\r\nPage 5 of 7\n\nValue Service Type Description\r\n3 Manual\r\nManual start. A service started by the service control manager when a process\r\ncalls the StartService function.\r\n4 Disabled\r\nA service that cannot be started. Attempts to start the service result in the error\r\ncode ERROR_SERVICE_DISABLED.\r\nMost services installed are configured to Auto Load, so that they start automatically after Services.exe process is\r\nstarted.\r\nService Account [Type = UnicodeString]: The security context that the service will run as when started.\r\nNote that this is what was configured when the service was installed, if the account is changed later that is\r\nnot logged.\r\nThe service account parameter is only populated if the service type is a \"Win32 Own Process\" or \"Win32\r\nShare Process\" (displayed as \"User Mode Service.\"). Kernel drivers do not have a service account name\r\nlogged.\r\nIf a service (Win32 Own/Share process) is installed but no account is supplied, then LocalSystem is used.\r\nThe token performing the logon is inspected, and if it has a SID then that SID value is populated in the\r\nevent (in the System/Security node), if not, then it is blank.\r\nSecurity Monitoring Recommendations\r\nFor 4697(S): A service was installed in the system.\r\nImportant  For this event, also see Appendix A: Security monitoring recommendations for many audit\r\nevents.\r\nWe recommend monitoring for this event, especially on high value assets or computers, because a new\r\nservice installation should be planned and expected. Unexpected service installation should trigger an alert.\r\nMonitor for all events where “Service File Name” is not located in %windir% or “Program\r\nFiles/Program Files (x86)” folders. Typically new services are located in these folders.\r\nReport all “Service Type” equals “0x1”, “0x2” or “0x8”. These service types start first and have almost\r\nunlimited access to the operating system from the beginning of operating system startup. These types are\r\nvery rarely installed.\r\nReport all “Service Start Type” equals “0” or “1”. These service start types are used by drivers, which\r\nhave unlimited access to the operating system.\r\nReport all “Service Start Type” equals “4”. It is not common to install a new service in the Disabled state.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\r\nPage 6 of 7\n\nReport all “Service Account” not equals “localSystem”, “localService” or “networkService” to identify\r\nservices which are running under a user account.\r\nSource: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697"
	],
	"report_names": [
		"event-4697"
	],
	"threat_actors": [],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19d339ecaec3fd704a35b7767efe25d449690c68.pdf",
		"text": "https://archive.orkl.eu/19d339ecaec3fd704a35b7767efe25d449690c68.txt",
		"img": "https://archive.orkl.eu/19d339ecaec3fd704a35b7767efe25d449690c68.jpg"
	}
}