Services Events

Description: Review events related to Windows Services.

Location:

  • C:\Windows\System32\winevt\logs\System.evtx
  • C:\Windows\System32\winevt\logs\Security.evtx

Notes: The System.evtx log tracks activity associated to Windows Services:

  • Event ID: 7034 - A service crashed unexpectedly.
  • Event ID: 7035 - A service sent a start/stop control.
  • Event ID: 7036 - A service started or stopped.
  • Event ID: 7040 - A start type changed. (Boot | On Request | Disabled)
  • Event ID: 7045 - A service was installed on the system. (Windows Server Operating Systems)

The Security.evtx log can be used to track when services are installed on a system:

  • Event ID: 4697 - A service was installed on the system.

Analysis: We can analyze modifications to Windows Services by reviewing various Event ID's in the Services.evtx file. We can reference the Security.evtx to review installed services.

We can use Windows native Event Viewer application for analyzing .evtx files. On a Windows client, double-clicking an .evtx file will automatically open the log inside of the Saved Logs folder in Event Viewer.



To filter for a specific event, select Filter Current Log... to pull up a dialog box with filtering option and input the Event ID you'd like to isolate.



Event ID: 7034 keeps track of services that have crashed unexpectedly.



Event ID: 7040 records modifications to a services startup state. It's not uncommon for attackers to attempt to disable critical security controls such as Anti-Virus.