Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 601 - Attempt to install service [Win 2003]
EventID 601 - Attempt to install service [Win 2003]
Indicates a user attempt to install a service. 

Note:
This event is not logged on Windows 2000 / XP systems.
This event should not occur often in a business environment with a clearly defined acceptable applications policy and system standardization process. This event should prompt an investigation when change control processes do not correlate in such environments.

Find more information about this event on ultimatewindowssecurity.com.

The codes in the Service Type field are described in the table below:

Service Type Value Description
Adapter 4 A service for a hardware device that requires its own driver.
FileSystemDriver 2 A file system driver, which is also a Kernel device driver.
InteractiveProcess 256 A service that can communicate with the desktop.
KernelDriver 1 A Kernel device driver such as a hard disk or other low-level hardware device driver.
RecognizerDriver 8 A file system driver used during startup to determine the file systems present on the system.
Win32OwnProcess 16 A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself.
Win32ShareProcess 32 A Win32 service that can share a process with other Win32 services.

Corresponding events on other OS versions:


Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Detailed Tracking
        Event ID:       601
        Date:           10/26/2009
        Time:           07:41:25
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Attempt to install service:
        Service Name:	SNMPTRAP
        Service File Name:	C:\Windows\system32\snmptrap.exe
        Service Type:	16
        Service Start Type:	3
        Service Account:	NT AUTHORITY\LocalService
        By:
        User Name:	Alebovsky
        Domain:	RESEARCH
        Logon ID:	(0x0,0x158EB7)
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Detailed Tracking
Source Security
EventId 601
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Service Name The internal system name of the newly installed service InsertionString1 SNMPTRAP
Service File Name Full Path and name of the executable InsertionString2 C:\Windows\system32\snmptrap.exe
Service Type The code for the type of service. Indicates how the service is used by the system. InsertionString3 16
Service Start Type Automatic - starts with the Operating System boot-up, Manual - starts when explicitly executed by user, Disabled - should be turned to Automaitc or Manual to be started InsertionString4 3
Service Account Name of the account under which the service is started InsertionString5 NT AUTHORITY\LocalService
User Name Account name of the user attempting to install the service InsertionString6 Alebovsky
Domain Domain of the user attempting to install the service InsertionString7 RESEARCH
Logon ID Logon ID of the logon session during which user attempted to install the service. Allows to correlate to other user activity during the same logon session, e.g. when user initially logged on. -
Comments
You must be logged in to comment