The Windows event log contains masses of valuable information. Using the event log scanning, you can find exactly when and which service was installed along with all the details of where it was installed, in what state and also by who. Scanning this on high-value assets is important to prevent unauthorized services that are not planned from being installed. You can read more about this use case in the Pro Tips #8 blog post.
To scan this event, configuration is required. Please follow the configuration steps in the Pro Tips #8 blog post.
This audit will provide you with a complete overview of all events with event ID 4697 that meet the following requirements:
All events where “Service File Name” is not located in %windir% or “Program Files/Program Files (x86)” folders. Typically new services are located in these folders.
All “Service Type” equals “0x1”, “0x2” or “0x8”. These service types start first and have almost unlimited access to the operating system from the beginning of the operating system startup. These types are very rarely installed.
All “Service Start Type” equals “0” or “1”. These service start types are used by drivers, which have unlimited access to the operating system.
All “Service Start Type” equals “4”. It is not common to install a new service in the Disabled state.
All “Service Account” not equals “localSystem”, “localService” or “networkService” to identify services which are running under a user account.
Service Installed Event Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblNtlog.TimeGenerated,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where (tblNtlog.Eventcode = 4697 And tblNtlogMessage.Message Not Like '%windir%'
And tblNtlogMessage.Message Not Like '%Program Files%' And
tblAssetCustom.State = 1) Or
(tblNtlog.Eventcode = 4697 And
(tblNtlogMessage.Message Like '%Service Type:___0x1[^0-9]%' Or
tblNtlogMessage.Message Like '%Service Type:___0x2[^0-9]%' Or
tblNtlogMessage.Message Like '%Service Type:___0x8[^0-9]%') And
tblAssetCustom.State = 1) Or
(tblNtlog.Eventcode = 4697 And
(tblNtlogMessage.Message Like '%Service Start Type:_4[^0-9]%' Or
tblNtlogMessage.Message Like '%Service Start Type:_0[^0-9]%' Or
tblNtlogMessage.Message Like '%Service Start Type:_1[^0-9]%') And
tblAssetCustom.State = 1) Or
(tblNtlog.Eventcode = 4697 And tblNtlogMessage.Message Not Like
'%Service Account:___localSystem%' And tblNtlogMessage.Message Not
Like '%Service Account:____localService%' And tblNtlogMessage.Message Not
Like '%Service Account:___networkService%' And tblAssetCustom.State = 1)
Order By tblAssets.Domain,
tblAssets.AssetName
