Service Control Manager
91 events across 1 channel
Event ID 7000: The param1 service failed to start due to the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
__binLength | |
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7000,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:32:53.9016913+00:00",
"event_record_id": 6718,
"correlation": {},
"execution": {
"process_id": 804,
"thread_id": 844
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "luafv",
"param2": "%%1275"
},
"message": "The luafv service failed to start due to the following error: \r\nThis driver has been blocked from loading"
}
Event ID 7001: The param1 service depends on the param2 service which failed to start because of the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
__binLength | |
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7001,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-04T08:05:16.553984+00:00",
"event_record_id": 819,
"correlation": {},
"execution": {
"process_id": 604,
"thread_id": 5640
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Microsoft Defender Antivirus Network Inspection Service",
"param2": "Microsoft Defender Antivirus Network Inspection System Driver",
"param3": "%%1062",
"Binary": "570064004E00690073005300760063000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7002: The param1 service depends on the param2 group and no member of this group started
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Event ID 7003: The param1 service depends on the following service:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Event ID 7005: The param1 call failed with the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 7006: The param1 call failed for param2 with the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 7007: The system reverted to its last known good configuration
#Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7007,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T19:22:46.0073056+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {}
}
Event ID 7008: No backslash is in the account name
#Event ID 7009: A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
__binLength | |
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7009,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-06-13T14:46:49.0019786+00:00",
"event_record_id": 4626,
"correlation": {},
"execution": {
"process_id": 752,
"thread_id": 1976
},
"channel": "System",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "30000",
"param2": "EtwGenPnpSvc"
},
"message": "A timeout was reached (30000 milliseconds) while waiting for the EtwGenPnpSvc service to connect."
}
Event ID 7010: A timeout (param1 milliseconds) was reached while waiting for ReadFile
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 7011: A timeout (param1 milliseconds) was reached while waiting for a transaction response from the param2 service
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7011,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2016-08-18T15:43:00.939453Z",
"event_record_id": 5503,
"correlation": {},
"execution": {
"process_id": 476,
"thread_id": 200
},
"channel": "System",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "30000",
"param2": "ShellHWDetection"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7012: The message returned in the transaction has incorrect size
#Event ID 7013: Logon attempt with current password failed with the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 7014: Second logon attempt with old password also failed with the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 7016: The param1 service has reported an invalid current state
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 7017: Detected circular dependencies demand starting
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Event ID 7018: Detected circular dependencies auto-starting services
#Event ID 7019: The param1 service depends on a service in a group which starts later
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Event ID 7020: The param1 service depends on a group which starts later
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Event ID 7021: About to revert to the last known good configuration because the param1 service failed to start
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 7022: The param1 service hung on starting
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
__binLength | |
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7022,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-03-04T08:47:55.688837+00:00",
"event_record_id": 154,
"correlation": {},
"execution": {
"process_id": 596,
"thread_id": 2804
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Network Connection Broker",
"Binary": "4E006300620053006500720076006900630065000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7023: The param1 service terminated with the following error:
#Fields #
| Name | Description | Rules |
|---|---|---|
param1 UnicodeString | 8 | |
param2 UnicodeString | ||
__binLength | ||
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7023,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-06-13T05:08:37.7386929+00:00",
"event_record_id": 7303,
"correlation": {},
"execution": {
"process_id": 832,
"thread_id": 7172
},
"channel": "System",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "SMB Witness",
"param2": "%%1753"
},
"message": "The SMB Witness service terminated with the following error: \r\nThere are no more endpoints available from the endpoint mapper."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Service Control Manager | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Windows Service Terminated With Error source low: Detects Windows services that got terminated for whatever reason
- Important Windows Service Terminated With Error source high: Detects important or interesting Windows services that got terminated for whatever reason
Event ID 7024: The param1 service terminated with the following service-specific error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7024,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2025-12-31T19:34:50.495914+00:00",
"event_record_id": 320,
"correlation": {},
"execution": {
"process_id": 844,
"thread_id": 1716
},
"channel": "System",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Background Intelligent Transfer Service",
"param2": "%%2147943515",
"Binary": "42004900540053000000"
},
"message": ""
}
Event ID 7026: The following boot-start or system-start driver(s) did not load:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7026,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-29T16:33:26.7146776+00:00",
"event_record_id": 6793,
"correlation": {},
"execution": {
"process_id": 804,
"thread_id": 808
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "\ndam"
},
"message": "The following boot-start or system-start driver(s) did not load: \r\ndam"
}
Event ID 7027: Windows could not be started as configured
#Event ID 7028: The param1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 7029: Service Control Manager
#Event ID 7030: The param1 service is marked as an interactive service
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7030,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-04-18T00:26:39.6386558+00:00",
"event_record_id": 177,
"correlation": {},
"execution": {
"process_id": 828,
"thread_id": 4952
},
"channel": "System",
"computer": "USERUSE-I0E7KUG",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Printer Extensions and Notifications"
},
"message": "The Printer Extensions and Notifications service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly."
}
Event ID 7031: The param1 service terminated unexpectedly
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7031,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T23:10:29.710970+00:00",
"event_record_id": 12403,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 13104
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Active Directory Federation Services",
"param2": "1",
"param3": "120000",
"param4": "1",
"param5": "Restart the service",
"Binary": "61006400660073007300720076000000"
},
"message": ""
}
Event ID 7032: The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Event ID 7034: The param1 service terminated unexpectedly
#Fields #
| Name | Description | Rules |
|---|---|---|
param1 UnicodeString | 1 | |
param2 UnicodeString | ||
__binLength | ||
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7034,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2023-10-25T22:56:14.228587+00:00",
"event_record_id": 1465,
"correlation": {},
"execution": {
"process_id": 800,
"thread_id": 7704
},
"channel": "System",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "OpenSSH SSH Server",
"param2": "1",
"Binary": "73007300680064000000"
},
"message": ""
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Service Control Manager | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Important Windows Service Terminated Unexpectedly source high: Detects important or interesting Windows services that got terminated unexpectedly.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349369(v=ws.10)
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7035: The param1 service was successfully sent a param2 control
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 7036: The Microsoft Software Shadow Copy Provider service entered the stopped state.
#Fields #
| Name | Description | Rules |
|---|---|---|
param1 UnicodeString | 2 | |
param2 UnicodeString | 3 | |
__binLength | ||
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7036,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-05-30T01:03:50.8900253+00:00",
"event_record_id": 6904,
"correlation": {},
"execution": {
"process_id": 804,
"thread_id": 1480
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Software Protection",
"param2": "stopped"
},
"message": "The Software Protection service entered the stopped state."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Service Control Manager | 3 rules | sigma |
param2 | eq | stopped | 2 rules | sigma, splunk |
ServiceName | contains | cachedump | 1 rule | kusto, sigma |
ServiceName | contains | pwdump | 1 rule | kusto, sigma |
ServiceName | contains | wceservice | 1 rule | kusto, sigma |
ServiceName | contains | ammyyadmin | 1 rule | sigma |
ServiceName | contains | atera | 1 rule | sigma |
ServiceName | contains | basupportexpresssrvcupdater | 1 rule | sigma |
ServiceName | contains | basupportexpressstandaloneservice | 1 rule | sigma |
ServiceName | contains | chromoting | 1 rule | sigma |
ServiceName | contains | gotoassist | 1 rule | sigma |
ServiceName | contains | gotomypc | 1 rule | sigma |
ServiceName | contains | jumpcloud | 1 rule | sigma |
ServiceName | contains | lmiguardiansvc | 1 rule | sigma |
ServiceName | contains | logmein | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- Windows Defender Threat Detection Service Disabled source medium: Detects when the "Windows Defender Threat Protection" service is disabled.
Splunk # view in coverage
- First Time Seen Running Windows Service source: The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is…
- Windows Cisco Secure Endpoint Related Service Stopped source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume…
- Windows Security And Backup Services Stop source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume…
References #
Event ID 7037: The Service Control Manager encountered an error undoing a configuration change to the param1 service
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 7038: The param1 service was unable to log on as param2 with the currently configured password due to the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7038,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T19:07:40.053438+00:00",
"event_record_id": 10993,
"correlation": {},
"execution": {
"process_id": 864,
"thread_id": 13408
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "wlidsvc",
"param2": "NT AUTHORITY\\SYSTEM",
"param3": "%%1722"
},
"message": ""
}
Event ID 7039: A service process other than the one launched by the Service Control Manager connected when starting the param1 service
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 7040: The start type of the msdsm service was changed from boot start to demand start.
#Fields #
| Name | Description | Rules |
|---|---|---|
param1 UnicodeString | 3 | |
param2 UnicodeString | ||
param3 UnicodeString | 2 | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7040,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-06-13T13:35:28.6930582+00:00",
"event_record_id": 8618,
"correlation": {},
"execution": {
"process_id": 864,
"thread_id": 3192
},
"channel": "System",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"param1": "Cluster Disk Driver",
"param2": "demand start",
"param3": "system start",
"param4": "ClusDisk"
},
"message": "The start type of the Cluster Disk Driver service was changed from demand start to system start."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
count | ge | 10 | 1 rule | splunk |
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows Event For Service Disabled source: The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often…
- Windows Excessive Disabled Services Event source: The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This…
- Windows Service Stop Win Updates source: The following analytic detects the disabling of Windows Update services, such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows Update." It leverages Windows System Event ID 7040 logs to identify changes in…
References #
Event ID 7041: The param1 service was unable to log on as param2 with the currently configured password due to the following error:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7041,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2026-03-13T20:17:37.908345+00:00",
"event_record_id": 11763,
"correlation": {},
"execution": {
"process_id": 960,
"thread_id": 9408
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "EvtGenSvc",
"param2": ".\\domainadmin"
},
"message": ""
}
Event ID 7042: The param1 service was successfully sent a param2 control
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString | |
__binLength | |
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7042,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-04T12:00:04.609673+00:00",
"event_record_id": 1436,
"correlation": {},
"execution": {
"process_id": 604,
"thread_id": 3184
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"param1": "TCP/IP NetBIOS Helper",
"param2": "stop",
"param3": "0x40030011",
"param4": "Operating System: Network Connectivity (Planned)",
"param5": "None",
"Binary": "6C006D0068006F007300740073000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7043: The param1 service did not shut down properly after receiving a preshutdown control
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
__binLength | |
BinaryData |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"event_source_name": "Service Control Manager",
"event_id": 7043,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9259400833873739776,
"time_created": "2022-04-04T13:06:45.664309+00:00",
"event_record_id": 1473,
"correlation": {
"ActivityID": "CDD19977-4814-0000-6779-D2CD1448D801"
},
"execution": {
"process_id": 604,
"thread_id": 512
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": ""
}
},
"event_data": {
"param1": "Update Orchestrator Service",
"Binary": "550073006F005300760063000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7044: The following service is taking more than param2 minutes to start and may have stopped responding:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
__binLength UInt32 | |
BinaryData Binary |
Event ID 7045: A service was installed in the system.
#Fields #
| Name | Description | Rules |
|---|---|---|
ServiceName UnicodeString | Name of the installed service | 43 |
ImagePath UnicodeString | Full path to the executable run when the service is started | 143 |
ServiceType UnicodeString | Known values
| 4 |
StartType UnicodeString | Known values
| |
AccountName UnicodeString | 1 |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
"event_source_name": "",
"event_id": 7045,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9187343239835811840,
"time_created": "2026-06-13T05:51:28.3169110+00:00",
"event_record_id": 6965,
"correlation": {},
"execution": {
"process_id": 804,
"thread_id": 6384
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServiceName": "KslD",
"ImagePath": "system32\\drivers\\wd\\KslD.sys",
"ServiceType": "kernel mode driver",
"StartType": "demand start",
"AccountName": ""
},
"message": "A service was installed in the system.\r\n\r\nService Name: KslD\r\nService File Name: system32\\drivers\\wd\\KslD.sys\r\nService Type: kernel mode driver\r\nService Start Type: demand start\r\nService Account: "
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Service Control Manager | 46 rules | sigma |
ImagePath | contains | cmd | 5 rules | sigma |
ImagePath | contains | powershell | 5 rules | sigma |
ImagePath | contains | && | 4 rules | sigma |
ImagePath | contains | /c | 4 rules | sigma |
ImagePath | contains | rundll32 | 4 rules | sigma |
ServiceName | eq | KrbSCM | 3 rules | sigma, splunk |
ImagePath | contains | cachedump | 2 rules | kusto, sigma |
ImagePath | contains | fgexec | 2 rules | kusto, sigma |
ImagePath | contains | mimidrv | 2 rules | kusto, sigma |
ImagePath | contains | pwdump | 2 rules | kusto, sigma |
ServiceName | contains | cachedump | 2 rules | kusto, sigma |
ServiceName | contains | mimidrv | 2 rules | kusto, sigma |
ServiceName | contains | mimikatz | 2 rules | kusto, sigma |
ServiceName | contains | pwdump | 2 rules | kusto, sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- CobaltStrike Service Installations - System source critical: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
- smbexec.py Service Installation source high: Detects the use of smbexec.py tool by detecting a specific service installation
- Invoke-Obfuscation CLIP+ Launcher - System source high: Detects Obfuscated use of Clip.exe to execute PowerShell
Show 17 more (48 total)
- Invoke-Obfuscation Obfuscated IEX Invocation - System source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
- Invoke-Obfuscation STDIN+ Launcher - System source high: Detects Obfuscated use of stdin to execute PowerShell
- Invoke-Obfuscation VAR+ Launcher - System source high: Detects Obfuscated use of Environment Variables to execute PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - System source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER - System source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
- Invoke-Obfuscation Via Stdin - System source high: Detects Obfuscated Powershell via Stdin in Scripts
- Invoke-Obfuscation Via Use Clip - System source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
- Invoke-Obfuscation Via Use MSHTA - System source high: Detects Obfuscated Powershell via use MSHTA in Scripts
- Invoke-Obfuscation Via Use Rundll32 - System source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
- KrbRelayUp Service Installation source high: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
- Credential Dumping Tools Service Execution - System source high: Detects well-known credential dumping tools execution via service execution events
- Meterpreter or Cobalt Strike Getsystem Service Installation - System source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
- Moriya Rootkit - System source critical: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
- PowerShell Scripts Installed as Services source high: Detects powershell script installed as a Service
- Anydesk Remote Access Software Service Installation source medium: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
- CSExec Service Installation source medium: Detects CSExec service installation and execution events
Splunk # view in coverage
- Clop Ransomware Known Service Name source: The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for…
- Malicious Powershell Executed As A Service source: The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific…
- Randomly Generated Windows Service Name source: The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the
ut_shannonfunction from the URL ToolBox Splunk…
Show 12 more (15 total)
- Windows Bluetooth Service Installed From Uncommon Location source: Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where…
- Windows Driver Load Non-Standard Path source: The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity…
- Windows KrbRelayUp Service Creation source: The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is…
- Windows Service Create RemComSvc source: The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the…
- Windows Service Create SliverC2 source: The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System…
- Windows Service Created with Suspicious Service Name source: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the
wineventlog_systemto identify these services installations. This activity… - Windows Service Created with Suspicious Service Path source: The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the
wineventlog_systemto identify services installed outside… - Windows Snake Malware Service Create source: The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is…
- Windows Vulnerable Driver Installed source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver…
- Kernel Service Installed - Windows (Windows Event Log) source: Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).…
- PSexec Service Creation (Windows Event Log) source: Detect creation of service for PSexec, as seen with Impackets PSexec.py or PSexec execution
- Service Created containing Command Shell (Windows Event Log) source: This use case detects when a service has been created (event 7045) containing PowerShell or cmd commands
Kusto # view in coverage
- Credential Dumping Tools - Service Installation source high: This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.
YARA-L # view in coverage
- Suspicious Windows Service Installation Detected source: This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (
A service was installed in the system). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation. Detection of such activity is critical for identifying early-stage post-compromise behavior.
References #
Event ID 7046: The following service has repeatedly stopped responding to service control requests:
#Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 1073748859: The param1 service was successfully sent a param2 control.
#Event ID 1073748860: The param1 service entered the param2 state.
#Description
The param1 service entered the param2 state.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7036,
"level": "Information",
"task": null,
"opcode": null,
"time_created": "2026-05-27T17:33:55.6315440+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "Network Setup Service",
"param2": "stopped"
}
}
Event ID 1073748864: The start type of the param1 service was changed from param2 to param3.
#Description
The start type of the param1 service was changed from param2 to param3.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7040,
"level": "Information",
"task": null,
"opcode": null,
"time_created": "2026-05-25T03:56:12.3421729+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param4": "BITS",
"param2": "auto start",
"param1": "Background Intelligent Transfer Service",
"param3": "demand start"
}
}
Event ID 1073748866: The param1 service was successfully sent a param2 control.
#Description
The param1 service was successfully sent a param2 control.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7042,
"level": "Information",
"task": null,
"opcode": null,
"time_created": "2026-03-13T20:18:51.2690981+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param5": "None",
"param4": "Operating System: Network Connectivity (Planned)",
"param2": "stop",
"param1": "TCP/IP NetBIOS Helper",
"param3": "0x40030011"
}
}
Event ID 1073748869: A service was installed in the system.
#Description
A service was installed in the system.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
ImagePath UnicodeString | |
ServiceType UnicodeString | Known values
|
StartType UnicodeString | Known values
|
AccountName UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7045,
"level": "Information",
"task": null,
"opcode": null,
"time_created": "2026-05-24T22:40:17.7122639+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"ServiceName": "KslD",
"AccountName": null,
"StartType": "demand start",
"ServiceType": "kernel mode driver",
"ImagePath": "system32\\drivers\\wd\\KslD.sys"
}
}
Event ID 2147490687: A service process other than the one launched by the Service Control Manager connected when starting the param1 service.
#Description
A service process other than the one launched by the Service Control Manager connected when starting the param1 service. The Service Control Manager launched process param2 and process param3 connected instead.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Event ID 2147490692: The following service is taking more than param2 minutes to start and may have stopped responding: param1 Contact your system administrator or service vend...
#Event ID 2147490694: The following service has repeatedly stopped responding to service control requests: param1 Contact the service vendor or the system administrator abou...
#Event ID 2147490695: The following services failed to start during a run level switch: {Failed Service Names}Please start the services manually and retry the run level ...
#Message #
Event ID 3221232472: The param1 service failed to start due to the following error: param2.
#Description
The param1 service failed to start due to the following error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7000,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-04-23T08:40:26.2875562+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "luafv",
"param2": "%%1275"
}
}
Event ID 3221232473: The param1 service depends on the param2 service which failed to start because of the following error: param3.
#Description
The param1 service depends on the param2 service which failed to start because of the following error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7001,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-04-23T08:40:34.9757061+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param2": "RemoteRegistry",
"param1": "Dfs",
"param3": "%%1058"
}
}
Event ID 3221232474: The param1 service depends on the param2 group and no member of this group started.
#Event ID 3221232475: The param1 service depends on the following service: param2.
#Event ID 3221232477: The param1 call failed with the following error: param2.
#Event ID 3221232478: The param1 call failed for param2 with the following error: param3.
#Event ID 3221232479: The system reverted to its last known good configuration.
#Description
The system reverted to its last known good configuration. The system is restarting....
Message #
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7007,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T19:22:46.0073056+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {}
}
Event ID 3221232480: No backslash is in the account name.
#Description
No backslash is in the account name. The account name must be in the form: domain\user.
Message #
Event ID 3221232481: A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect.
#Description
A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7009,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-13T20:18:33.1780438+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "30000",
"param2": "EvtGen Test Service 1"
}
}
Event ID 3221232482: A timeout (param1 milliseconds) was reached while waiting for ReadFile.
#Event ID 3221232483: A timeout (param1 milliseconds) was reached while waiting for a transaction response from the param2 service.
#Event ID 3221232484: The message returned in the transaction has incorrect size.
#Description
The message returned in the transaction has incorrect size.
Message #
Event ID 3221232485: Logon attempt with current password failed with the following error.
#Event ID 3221232486: Second logon attempt with old password also failed with the following error.
#Event ID 3221232487: Boot-start or system-start driver ({param1}) must not depend on a service.
#Event ID 3221232488: The param1 service has reported an invalid current state param2.
#Event ID 3221232489: Detected circular dependencies demand starting param1.
#Event ID 3221232490: Detected circular dependencies auto-starting services.
#Description
Detected circular dependencies auto-starting services. Check the service dependency tree.
Message #
Event ID 3221232491: The param1 service depends on a service in a group which starts later.
#Description
The param1 service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
BinaryData Binary |
Event ID 3221232492: The param1 service depends on a group which starts later.
#Event ID 3221232493: About to revert to the last known good configuration because the param1 service failed to start.
#Event ID 3221232494: The param1 service hung on starting.
#Event ID 3221232495: The param1 service terminated with the following error: param2.
#Description
The param1 service terminated with the following error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7023,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T19:23:53.2795014+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "SysMain",
"param2": "%%87"
}
}
Event ID 3221232496: The param1 service terminated with the following service-specific error: param2.
#Description
The param1 service terminated with the following service-specific error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7024,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T19:22:45.9604304+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "mpssvc",
"param2": "%%1747"
}
}
Event ID 3221232497: At least one service or driver failed during system startup.
#Description
At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
Message #
Event ID 3221232498: The following boot-start or system-start driver(s) did not load: param1.
#Description
The following boot-start or system-start driver(s) did not load: param1.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7026,
"level": "Information",
"task": null,
"opcode": null,
"time_created": "2026-04-23T08:41:06.4457410+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "\ndam"
}
}
Event ID 3221232499: Windows could not be started as configured.
#Description
Windows could not be started as configured. Starting Windows using a previous working configuration.
Message #
Event ID 3221232500: The param1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
#Event ID 3221232502: The param1 service is marked as an interactive service.
#Description
The param1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7030,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-13T20:18:02.9535937+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "EvtGenSvc3"
}
}
Event ID 3221232503: The param1 service terminated unexpectedly.
#Description
The param1 service terminated unexpectedly. It has done this param2 time(s). The following corrective action will be taken in param3 milliseconds: param5.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
param5 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7031,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-15T04:27:06.7209807+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param5": "Restart the service",
"param4": "1",
"param2": "1",
"param1": "COM+ System Application",
"param3": "1000"
}
}
Event ID 3221232504: The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with ...
#Event ID 3221232505: The Service Control Manager did not initialize successfully.
#Event ID 3221232506: The param1 service terminated unexpectedly.
#Description
The param1 service terminated unexpectedly. It has done this param2 time(s).
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7034,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-18T02:10:57.0237119+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "Elastic Winlogbeat 9.2.3",
"param2": "1"
}
}
Event ID 3221232509: The Service Control Manager encountered an error undoing a configuration change to the param1 service.
#Description
The Service Control Manager encountered an error undoing a configuration change to the param1 service. The service's param2 is currently in an unpredictable state. If you do not correct this configuration, you may not be able to restart the param1 service or may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 3221232510: The param1 service was unable to log on as param2 with the currently configured password due to the following error.
#Description
The param1 service was unable to log on as param2 with the currently configured password due to the following error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7038,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T19:22:45.9604304+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param2": "NT Authority\\LocalService",
"param1": "SstpSvc",
"param3": "%%50"
}
}
Event ID 3221232513: The Service service was unable to log on as DomainAndAccount with the currently configured password due to the following error: Logon failure: the user has not been g...
#Description
The Service service was unable to log on as DomainAndAccount with the currently configured password due to the following error.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7041,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-13T20:17:37.9083450+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "EvtGenSvc",
"param2": ".\\domainadmin"
}
}
Event ID 3221232515: The param1 service did not shut down properly after receiving a preshutdown control.
#Description
The param1 service did not shut down properly after receiving a preshutdown control.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
BinaryData Binary |
Example Event #
{
"system": {
"provider": "Service Control Manager",
"event_id": 7043,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-04-23T15:32:23.2781270+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"param1": "Windows Defender Advanced Threat Protection Service"
}
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 555908d1-a6d7-4695-8e1e-26931d2012f4
Defined in services.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.1 · captured 2026-06-02
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.1 · captured 2026-06-02