Event ID 4697 - A service was installed in the system

Event ID: 4697

A service was installed in the system

A service was installed in the system.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Service Information:
    Service Name:       %5
    Service File Name:  %6
    Service Type:       %7
    Service Start Type: %8
    Service Account:    %9

Microsoft Documentation

Event ID - 4697

This event generates when new service was installed in the system.

	Field	Insertion String	OS	Example
Security ID	SubjectUserSid	%1	Any	S-1-5-18
Account Name	SubjectUserName	%2	Any	WIN-GG82ULGC9GO$
Account Domain	SubjectDomainName	%3	Any	DOMAIN
Logon ID	SubjectLogonId	%4	Any	0x3e7
Service Name	ServiceName	%5	Any	AppHostSvc
Service File Name	ServiceFileName	%6	Any	%windir%\\system32\\svchost.exe -k apphost
Service Type	ServiceType	%7	Any	0x20
Service Start Type	ServiceStartType	%8	Any	2
Service Account	ServiceAccount	%9	Any	localSystem

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Security System Extension"

How to enable Windows Auditing

Operating Systems:

Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019

Audit Category:

System

Audit Subcategory:

Security System Extension

Legacy Events:

601

LEFT/RIGHT arrow keys for navigation

Back to List