Services

File Location:

• C:\Windows\config\SYSTEM

Service Registry Location:

• HKLM\SYSTEM\CurrentControlSet\Services

Parse Data

Considerations

Audit Logs

System.evtx

• 7034: Service crashed unexpectedly

• 7035: Service sent a Start/Stop control

• 7040: Service started or stopped

• 7045: A new service was installed on the system (Win2008R2+).

Security.evtx

• 4697: A new service was installed on the system (Security log).

Remote Artifacts

Anti-Forensics

Hiding Services:

SANS Cyber Security Certifications & Research

Defense Spotlight: Finding Hidden Windows Services | SANS Institute