ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security operations center showing Event Viewer with service installation monitoring and PowerShell security analysis
Event ID 7045InformationService Control ManagerWindows

Windows Event ID 7045 – Service Control Manager: New Service Installation

Event ID 7045 fires when a new Windows service is installed on the system. This informational event logs service creation details including name, path, and startup type for security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 7045Service Control Manager 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 7045 represents one of the most security-relevant informational events in the Windows Event Log ecosystem. Generated by the Service Control Manager (SCM), this event creates an immutable record every time a new service gets registered in the Windows service database.

The event contains structured data including the service name, display name, executable file path, service type, startup mode, and the security context under which the service will run. This information proves invaluable for forensic investigations, compliance auditing, and real-time security monitoring.

In enterprise environments, Event ID 7045 enables administrators to track software deployments, detect unauthorized installations, and maintain inventory of services across their infrastructure. The event fires regardless of whether the service installation succeeds or fails, providing complete visibility into service creation attempts.

Security teams particularly value this event because many advanced persistent threats (APTs) and commodity malware families rely on service installation for maintaining persistence on compromised systems. By monitoring Event ID 7045 patterns, security analysts can identify suspicious service installations that deviate from baseline behavior, such as services installed from temporary directories, unusual file paths, or with suspicious naming conventions.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Legitimate software installation creating Windows services
  • Windows Update installing system services or drivers
  • Administrative deployment of enterprise services via Group Policy or SCCM
  • Manual service installation using sc.exe or PowerShell commands
  • Malware installing persistence mechanisms through service creation
  • Third-party security software registering monitoring services
  • Device driver installations that include service components
  • Application updates that modify or recreate existing services
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 7045 to understand what service was installed and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 7045 by right-clicking the System log and selecting Filter Current Log
  4. Enter 7045 in the Event IDs field and click OK
  5. Double-click on recent Event ID 7045 entries to examine details
  6. Review the General tab for service name, executable path, and startup type
  7. Check the Details tab for additional structured data including the user SID who installed the service
Pro tip: Pay special attention to services installed from unusual locations like %TEMP%, %APPDATA%, or system32 directories, as these often indicate malicious activity.
02

Query Events with PowerShell

Use PowerShell to programmatically analyze Event ID 7045 patterns and extract detailed service installation information.

  1. Open PowerShell as Administrator
  2. Query recent service installations with this command:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} -MaxEvents 50 | Select-Object TimeCreated, @{Name='ServiceName';Expression={$_.Properties[0].Value}}, @{Name='ImagePath';Expression={$_.Properties[1].Value}}, @{Name='ServiceType';Expression={$_.Properties[2].Value}}, @{Name='StartType';Expression={$_.Properties[3].Value}} | Format-Table -AutoSize
  1. For detailed analysis of a specific timeframe, use:
$StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045; StartTime=$StartTime}
$Events | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        ServiceName = $_.Properties[0].Value
        ImagePath = $_.Properties[1].Value
        ServiceType = $_.Properties[2].Value
        StartType = $_.Properties[3].Value
        UserSID = $_.UserId
    }
} | Export-Csv -Path "C:\Temp\ServiceInstallations.csv" -NoTypeInformation
Warning: Always investigate services with unusual executable paths or those installed outside of standard software deployment windows.
03

Correlate with Process Creation Events

Cross-reference Event ID 7045 with process creation events to understand the installation context and identify the parent process responsible.

  1. Enable Process Creation auditing if not already active:
auditpol /set /subcategory:"Process Creation" /success:enable
  1. Query Event ID 4688 (Process Creation) around the time of service installation:
$ServiceInstallTime = (Get-Date "2026-03-18 14:30:00")
$TimeWindow = 300 # 5 minutes
$StartTime = $ServiceInstallTime.AddSeconds(-$TimeWindow)
$EndTime = $ServiceInstallTime.AddSeconds($TimeWindow)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Properties[5].Value -like "*sc.exe*" -or $_.Properties[5].Value -like "*powershell*" -or $_.Properties[5].Value -like "*installutil*"} | Select-Object TimeCreated, @{Name='ProcessName';Expression={$_.Properties[5].Value}}, @{Name='CommandLine';Expression={$_.Properties[8].Value}}
  1. Check for service installation via .NET InstallUtil:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Properties[8].Value -like "*InstallUtil*"}
  1. Examine the Services registry for additional details:
Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services" | Where-Object {$_.PSChildName -eq "SuspiciousServiceName"} | Get-ItemProperty
04

Investigate Service Executable and Digital Signatures

Analyze the service executable file for legitimacy, digital signatures, and potential malicious indicators.

  1. Extract the service executable path from Event ID 7045 and verify its digital signature:
$ServicePath = "C:\Path\To\Service.exe"
$Signature = Get-AuthenticodeSignature -FilePath $ServicePath
Write-Host "Signature Status: $($Signature.Status)"
Write-Host "Signer: $($Signature.SignerCertificate.Subject)"
Write-Host "Timestamp: $($Signature.TimeStamperCertificate.NotAfter)"
  1. Check file properties and version information:
$FileInfo = Get-ItemProperty -Path $ServicePath
$VersionInfo = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($ServicePath)
Write-Host "File Version: $($VersionInfo.FileVersion)"
Write-Host "Product Name: $($VersionInfo.ProductName)"
Write-Host "Company Name: $($VersionInfo.CompanyName)"
Write-Host "File Description: $($VersionInfo.FileDescription)"
  1. Calculate file hash for threat intelligence lookup:
$Hash = Get-FileHash -Path $ServicePath -Algorithm SHA256
Write-Host "SHA256 Hash: $($Hash.Hash)"
  1. Check if the executable is in a suspicious location:
$SuspiciousPaths = @("%TEMP%", "%APPDATA%", "C:\Users", "C:\ProgramData")
$IsSuspicious = $SuspiciousPaths | Where-Object {$ServicePath -like "*$_*"}
if ($IsSuspicious) {
    Write-Warning "Service executable is in a potentially suspicious location: $ServicePath"
}
Pro tip: Legitimate services typically reside in Program Files, Windows\System32, or vendor-specific directories and should have valid digital signatures from trusted publishers.
05

Advanced Threat Hunting with Event Correlation

Implement advanced correlation techniques to identify sophisticated threats that use service installation as part of a larger attack chain.

  1. Create a comprehensive timeline of system events around service installation:
$TargetTime = (Get-Date "2026-03-18 14:30:00")
$TimeWindow = 1800 # 30 minutes
$StartTime = $TargetTime.AddSeconds(-$TimeWindow)
$EndTime = $TargetTime.AddSeconds($TimeWindow)

# Collect multiple event types
$Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045; StartTime=$StartTime; EndTime=$EndTime} | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventType';Expression={'ServiceInstall'}}, @{Name='Details';Expression={"Service: $($_.Properties[0].Value), Path: $($_.Properties[1].Value)"}}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime; EndTime=$EndTime} | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventType';Expression={'ProcessCreation'}}, @{Name='Details';Expression={"Process: $($_.Properties[5].Value)"}}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartTime; EndTime=$EndTime} | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventType';Expression={'Logon'}}, @{Name='Details';Expression={"User: $($_.Properties[5].Value), Type: $($_.Properties[8].Value)"}}

$Events | Sort-Object TimeCreated | Format-Table -AutoSize
  1. Analyze service installation patterns for anomalies:
# Check for multiple services installed in short timeframe
$RecentServices = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045; StartTime=(Get-Date).AddHours(-24)}
$ServicesByHour = $RecentServices | Group-Object {$_.TimeCreated.ToString("yyyy-MM-dd HH")} | Where-Object {$_.Count -gt 3}
if ($ServicesByHour) {
    Write-Warning "Unusual service installation activity detected:"
    $ServicesByHour | ForEach-Object {
        Write-Host "$($_.Name): $($_.Count) services installed"
    }
}
  1. Check for services with suspicious characteristics:
$SuspiciousServices = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045; StartTime=(Get-Date).AddDays(-7)} | Where-Object {
    $ServiceName = $_.Properties[0].Value
    $ImagePath = $_.Properties[1].Value
    
    # Flag services with suspicious names or paths
    ($ServiceName -match "[0-9]{8,}" -or 
     $ServiceName -match "^[a-f0-9]{32}$" -or
     $ImagePath -like "*\temp\*" -or
     $ImagePath -like "*\appdata\*" -or
     $ImageName -like "*.tmp" -or
     $ServiceName.Length -lt 3)
}

if ($SuspiciousServices) {
    Write-Warning "Potentially malicious services detected:"
    $SuspiciousServices | ForEach-Object {
        Write-Host "Time: $($_.TimeCreated), Service: $($_.Properties[0].Value), Path: $($_.Properties[1].Value)"
    }
}
  1. Export findings for further analysis:
$Report = @()
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045; StartTime=(Get-Date).AddDays(-30)} | ForEach-Object {
    $Report += [PSCustomObject]@{
        Timestamp = $_.TimeCreated
        ServiceName = $_.Properties[0].Value
        ImagePath = $_.Properties[1].Value
        ServiceType = $_.Properties[2].Value
        StartType = $_.Properties[3].Value
        UserSID = $_.UserId
        Suspicious = ($_.Properties[1].Value -like "*\temp\*" -or $_.Properties[1].Value -like "*\appdata\*")
    }
}
$Report | Export-Csv -Path "C:\Temp\ServiceInstallationAnalysis.csv" -NoTypeInformation
Warning: Always correlate Event ID 7045 with network connections, file system changes, and registry modifications to build a complete picture of potential threats.

Overview

Event ID 7045 from the Service Control Manager fires whenever a new Windows service gets installed on your system. This informational event captures critical details about service creation including the service name, executable path, startup type, and the user account that initiated the installation.

This event appears in the System log and serves as a crucial audit trail for security teams monitoring unauthorized service installations. Malware frequently installs services for persistence, making Event ID 7045 a key indicator for threat hunting and incident response activities.

The event fires during legitimate software installations, Windows updates, and administrative service deployments. However, it also triggers when malicious software attempts to establish persistence through service creation. Security professionals rely on this event to detect suspicious service installations, especially those with unusual executable paths or running under privileged accounts.

Modern endpoint detection systems in 2026 heavily monitor this event for behavioral analysis, correlating service installations with process execution chains and network activity to identify potential threats.

Frequently Asked Questions

What does Event ID 7045 mean and why is it important for security?+
Event ID 7045 indicates that a new Windows service has been installed on the system. This event is crucial for security monitoring because malware frequently uses service installation as a persistence mechanism. The event logs the service name, executable path, startup type, and installation context, providing security teams with visibility into both legitimate software deployments and potential threats. In 2026, this event remains one of the most monitored indicators for advanced persistent threats and commodity malware detection.
How can I distinguish between legitimate and malicious service installations in Event ID 7045?+
Legitimate services typically have several characteristics: they're installed from Program Files or Windows directories, have valid digital signatures from trusted publishers, use descriptive service names, and are installed during business hours or maintenance windows. Malicious services often exhibit red flags like installation from temporary directories (%TEMP%, %APPDATA%), lack of digital signatures, random or cryptic service names, installation at unusual times, or executable paths in user directories. Always correlate the installation with recent software deployments or system changes.
Can Event ID 7045 help me track software deployments across my enterprise?+
Yes, Event ID 7045 serves as an excellent audit trail for enterprise software deployments. By centralizing these events through Windows Event Forwarding or SIEM solutions, you can track which systems received new services, when installations occurred, and identify any deployment failures or unauthorized installations. This is particularly valuable for compliance reporting, change management, and ensuring consistent software deployment across your infrastructure. Modern enterprise monitoring solutions in 2026 heavily rely on this event for deployment tracking and security baseline maintenance.
What PowerShell commands are most effective for analyzing Event ID 7045 patterns?+
The most effective PowerShell approach combines Get-WinEvent with custom filtering and correlation. Use 'Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045}' for basic queries, then extract service details using the Properties array. For pattern analysis, group events by time periods to detect unusual installation bursts, filter by executable paths to identify suspicious locations, and correlate with Event ID 4688 (process creation) to understand installation context. Advanced analysis should include hash calculations, digital signature verification, and timeline correlation with other security events.
How should I configure monitoring and alerting for Event ID 7045 in my environment?+
Configure monitoring to alert on specific patterns rather than every Event ID 7045, as legitimate software generates many of these events. Set up alerts for services installed from suspicious paths (temp directories, user folders), services with random names or no digital signatures, multiple service installations in short timeframes, or installations outside maintenance windows. Use Windows Event Forwarding to centralize events, implement SIEM rules for pattern detection, and establish baseline behavior to identify anomalies. In 2026, integrate with threat intelligence feeds to automatically flag known malicious service hashes or paths.
Documentation

References (2)

1
Microsoft Learn - Windows Event Log ReferenceOfficial Microsoft documentation covering Windows Event Log architecture, event sources, and logging mechanisms including Service Control Manager events.https://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging-reference
2
Microsoft Security - Advanced Threat HuntingMicrosoft's guidance on advanced threat hunting techniques including service installation monitoring and event correlation methodologies.https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-7045#windows-services#security-monitoring

Related Windows Events

Windows Services console showing running services on a monitoring dashboard
Event 2000
Service Control Manager
Windows EventInformation

Windows Event ID 2000 – Service Control Manager: Service Started Successfully

Event ID 2000 indicates a Windows service has started successfully. This informational event helps administrators track service startup activities and troubleshoot service dependencies during system boot or manual service operations.

March 189 min
Windows Services management console displaying service status and configuration on a monitoring dashboard
Event 63
Service Control Manager
Windows EventError

Windows Event ID 63 – Service Control Manager: Service Start Pending Timeout

Event ID 63 indicates a Windows service failed to start within the configured timeout period. This critical event helps identify service startup issues and potential system performance problems.

March 1812 min
Windows Services management console displaying service status on a professional monitoring dashboard
Event 31
Service Control Manager
Windows EventWarning

Windows Event ID 31 – System: Service Control Manager Timeout

Event ID 31 indicates a service failed to respond to a start or control request within the timeout period, typically 30 seconds, causing the Service Control Manager to log this warning.

March 1812 min
Windows Services management console and Event Viewer displaying service monitoring information on server room monitors
Event 7023
Service Control Manager
Windows EventError

Windows Event ID 7023 – Service Control Manager: Service Terminated with Error

Event ID 7023 indicates a Windows service terminated unexpectedly with an error code. This critical event requires immediate investigation to identify failing services and prevent system instability.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...