Event ID 4697

A service was installed in the system 

A service was installed in the system.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Service Information:
    Service Name:       %5
    Service File Name:  %6
    Service Type:       %7
    Service Start Type: %8
    Service Account:    %9


This event generates when new service was installed in the system.

Auditing:     Always


Volume:     Low


Microsoft Documentation

Event ID - 4697



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any WIN-GG82ULGC9GO$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Service Name ServiceName %5 Any AppHostSvc
Service File Name ServiceFileName %6 Any %windir%\\system32\\svchost.exe -k apphost
Service Type ServiceType %7 Any 0x20
Service Start Type ServiceStartType %8 Any 2
Service Account ServiceAccount %9 Any localSystem

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security System Extension"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
System

Audit Subcategory:
Security System Extension
Legacy Events:
601

LEFT/RIGHT arrow keys for navigation

Back to List