The System event log is the operating system’s heartbeat monitor — every service crash, every new service installed, every event log cleared, and every unplanned shutdown is recorded here. When an attacker installs a persistent backdoor as a Windows service or clears event logs to cover their tracks, System.evtx captures the evidence of both actions.
What Is System.evtx?
System.evtx is one of the three core Windows event logs (alongside Security.evtx and Application.evtx) that exists on every Windows installation from Vista onward. It records events generated by Windows system components: the Service Control Manager (SCM), kernel-mode drivers, the Windows Time Service, the Event Log service itself, and core OS subsystems. Unlike the Security log (which requires audit policy configuration), the System log captures critical events by default with no additional configuration required.
The Service Control Manager writes events whenever a service changes state — started, stopped, crashed, or had its startup type modified. The Event Log service records when any event log channel is cleared. The kernel records driver load events, blue screen parameters, and time synchronization changes. For forensic investigators, these default events provide a reliable baseline of system activity that persists across reboots and survives most cleanup attempts.
System.evtx is stored at C:\Windows\System32\winevt\Logs\System.evtx in the EVTX binary XML format. By default, it operates as a rolling log with a 20 MB maximum size. When the log reaches capacity, the oldest events are overwritten. On busy servers, 20 MB may provide only days of retention; on quiet workstations, it may span weeks or months.
System.evtx requires no audit policy configuration. The Service Control Manager, Event Log service, and kernel components write to it by default. This makes it one of the most reliably available forensic artifacts — even on systems where Security.evtx auditing was never enabled.
Location & Format
File Path
| File | Path | Notes |
|---|---|---|
| System.evtx | C:\Windows\System32\winevt\Logs\System.evtx | Primary System event log; present on all Windows Vista+ systems |
| Archive files | C:\Windows\System32\winevt\Logs\Archive-System-*.evtx | Archived logs if “Archive the log when full” is enabled (not default) |
EVTX Format
The EVTX format (introduced in Vista, replacing the legacy EVT format) uses a binary XML structure. Each event record contains a header with the record ID, timestamp (FILETIME), and event ID, followed by an XML payload containing the event data. Records are stored in 64 KB chunks, each with its own header and CRC32 checksum. This chunked architecture means that even if portions of the file are corrupted, intact chunks can still be parsed.
Maximum size: 20,971,520 bytes (20 MB)
Retention method: Overwrite events as needed (circular/rolling)
Archive on full: Disabled by default
To check or modify: wevtutil gl System or Event Viewer → System Properties
Critical Event IDs
The following Event IDs are the highest-value entries in System.evtx for forensic and incident response investigations:
Service Control Manager Events
| Event ID | Source | Description | Forensic Value |
|---|---|---|---|
7034 | Service Control Manager | Service terminated unexpectedly (crashed) | Indicates service instability; malware services may crash repeatedly during deployment |
7035 | Service Control Manager | Service sent a start/stop control | Shows which account initiated a service state change |
7036 | Service Control Manager | Service entered running/stopped state | Confirms actual service state transition; pair with 7045 for new service timeline |
7040 | Service Control Manager | Service start type changed (e.g., Disabled → Auto Start) | Attackers change start type to enable persistence or disable security services |
7045 | Service Control Manager | New service installed on the system | Critical: records service name, binary path, start type, and account. Primary detection for service-based persistence and lateral movement (PsExec, Cobalt Strike) |
Event ID 7045 is the single most important event in System.evtx for threat detection. Every service installation is logged here, including PsExec’s PSEXESVC, Cobalt Strike’s service-based execution, and attacker-created persistence services. The event records the service name, the full path to the service binary, the service type, the start type, and the account under which it runs.
Event Log Service Events
| Event ID | Source | Description | Forensic Value |
|---|---|---|---|
104 | Microsoft-Windows-Eventlog | Event log was cleared | Critical: records which log was cleared and by which account. Evidence of anti-forensics activity. |
6005 | EventLog | Event Log service started | Indicates system boot; use to reconstruct boot/shutdown timeline |
6006 | EventLog | Event Log service stopped | Indicates clean shutdown; absence followed by 6005 suggests crash or power loss |
6008 | EventLog | Unexpected shutdown (dirty shutdown) | Records the timestamp of the unexpected shutdown; may indicate forced power-off during incident |
6009 | EventLog | OS version information at boot | Records Windows version, build number, and processor architecture at every startup |
System Time & Other Critical Events
| Event ID | Source | Description | Forensic Value |
|---|---|---|---|
1 | Microsoft-Windows-Kernel-General | System time changed | Records old and new time; detects timestomping at the system level |
12 | Microsoft-Windows-Kernel-General | OS started (kernel initialization) | Boot timestamp with build version information |
13 | Microsoft-Windows-Kernel-General | OS shutdown initiated | Clean shutdown timestamp |
41 | Microsoft-Windows-Kernel-Power | Kernel-Power critical error (unexpected reboot) | BugcheckCode identifies crash type; may indicate kernel exploit or forced reboot |
7001 | Microsoft-Windows-Winlogon | User logon notification | Logon event with SID; supplements Security.evtx 4624 |
7002 | Microsoft-Windows-Winlogon | User logoff notification | Logoff event with SID |
For rapid triage, filter on these five Event IDs first: 7045 (new service), 7040 (service type changed), 104 (log cleared), 7034 (service crashed), and 1 (time changed). These five events cover the most common attacker persistence, anti-forensics, and manipulation techniques.
What It Reveals
System.evtx answers the following categories of investigative questions:
- Was a new service installed? — Event ID 7045 records the service name, binary path, service type, start type, and account. This detects PsExec (
PSEXESVC), Cobalt Strike service execution, and attacker persistence services. - Was a security service disabled? — Event ID 7040 records when a service’s start type changes. An attacker disabling Windows Defender (
WinDefend) or changing it from Auto to Disabled generates this event. - Were event logs cleared? — Event ID 104 is written to System.evtx when any event log is cleared. Critically, this event survives even if the Security log was the one cleared, because it is recorded in the System log, not the cleared log.
- When did the system boot and shut down? — Events 6005/6006/6008/6009 provide a complete boot/shutdown timeline. Gaps between 6006 and the next 6005 indicate the system was off; absence of 6006 before 6005 indicates a crash or forced power-off.
- Was the system clock manipulated? — Event ID 1 (Kernel-General) records both the old and new time values when the system clock changes, detecting time-based anti-forensics.
- Did a critical service crash? — Event ID 7034 records service crashes with the service name and crash count. A legitimate service crashing may indicate exploitation; a malware service crashing may indicate failed deployment.
Forensic Use Cases
1. PsExec Lateral Movement Detection
When PsExec is used for lateral movement, it installs a temporary service named PSEXESVC on the remote host. Event ID 7045 records: Service Name: PSEXESVC, Service File Name: %SystemRoot%\PSEXESVC.exe, Service Type: user mode service, Service Start Type: demand start, Service Account: LocalSystem. This event persists even after PsExec completes and removes the service binary. The timestamp of the 7045 event pins the lateral movement to the second.
2. Cobalt Strike Service Execution
Cobalt Strike’s psexec and psexec_psh commands create services with randomized 7-character alphanumeric names (e.g., ab1c2d3) and command lines pointing to cmd.exe /c or powershell.exe -nop -w hidden -encodedcommand. Event ID 7045 captures the full service binary path, making the encoded payload recoverable from the event log alone.
3. Anti-Forensics Detection — Log Clearing
An attacker runs wevtutil cl Security to clear the Security event log after credential theft. Event ID 104 in System.evtx records: The Security log file was cleared. Subject: DOMAIN\compromised_admin. The attacker cannot clear System.evtx’s record of the clearing without generating another Event ID 104 for System.evtx itself — creating an infinite evidence loop.
4. Security Service Tampering
Before deploying ransomware, attackers commonly disable endpoint protection. Event ID 7040 captures: The start type of the WinDefend service was changed from auto start to disabled and The start type of the MsMpSvc service was changed from auto start to disabled. The sequence of security services being disabled immediately before encryption provides a clear pre-ransomware indicator.
5. Boot/Shutdown Timeline Reconstruction
In a corporate espionage case, the investigator needs to establish when a laptop was powered on during a weekend. Events 6005 (boot), 6006 (clean shutdown), 6008 (unexpected shutdown), and 12/13 (kernel start/stop) provide an hour-by-hour power timeline. If the laptop was supposedly off-site but System.evtx shows it booting at 02:30 AM Saturday, the user’s account is contradicted by the evidence.
Acquisition Methods
System.evtx is locked by the Event Log service on a live system. Direct copy will fail with a sharing violation. Use wevtutil epl, Volume Shadow Copy, or a forensic imaging tool. On a forensic image, the file can be extracted directly.
Live System — wevtutil Export
:: Export the System log to a new .evtx file (bypasses file lock) wevtutil epl System C:\Evidence\System_export.evtx :: Also export Security and Application for cross-correlation wevtutil epl Security C:\Evidence\Security_export.evtx wevtutil epl Application C:\Evidence\Application_export.evtx :: Quick triage: export only Event ID 7045 (new services) from the last 7 days wevtutil qe System /q:"*[System[(EventID=7045) and TimeCreated[timediff(@SystemTime) <= 604800000]]]" /f:text
Live System — KAPE / Velociraptor
:: KAPE: Collect all event logs kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target EventLogs :: Velociraptor: Collect System.evtx via artifact :: Artifact: Windows.EventLogs.EvtxHunter :: Or: Windows.KapeFiles.Targets with target "EventLogs"
Forensic Image — Direct Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy all event logs cp -r /mnt/evidence/Windows/System32/winevt/Logs/ /analysis/evtx/ # Or extract only System.evtx cp /mnt/evidence/Windows/System32/winevt/Logs/System.evtx /analysis/evtx/
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| EvtxECmd | Eric Zimmerman | Free | CSV/JSON | Fast EVTX parser with built-in event maps; outputs structured CSV for Timeline Explorer |
| Chainsaw | WithSecure | Open source | Text/JSON | Sigma-rule-based hunting across EVTX files; excellent for rapid threat hunting |
| Hayabusa | Yamato Security | Open source | CSV/JSON | High-speed Sigma-based log analysis with built-in detection rules |
| Get-WinEvent | Microsoft | Built-in | PowerShell objects | Native PowerShell cmdlet; supports XPath filtering on live and offline logs |
| Event Viewer | Microsoft | Built-in | GUI | Native GUI tool; supports custom views and XPath filters |
| python-evtx | Will Ballenthin | Open source | Python API | Programmatic parsing for custom analysis scripts |
Parsing with EvtxECmd
:: Parse System.evtx to CSV with event maps EvtxECmd.exe -f C:\Evidence\System.evtx --csv C:\Analysis\System_Output --csvf System_parsed.csv :: Parse all EVTX files in a directory EvtxECmd.exe -d C:\Evidence\evtx\ --csv C:\Analysis\AllLogs_Output
Hunting with Chainsaw
:: Hunt across all EVTX logs using Sigma rules chainsaw hunt C:\Evidence\evtx\ -s sigma/rules/ --mapping mappings/sigma-event-logs-all.yml :: Search for specific Event IDs chainsaw search C:\Evidence\System.evtx -e 7045 chainsaw search C:\Evidence\System.evtx -e 104
PowerShell Queries (Live or Offline)
# Find all new service installations (Event ID 7045) Get-WinEvent -FilterHashtable @{LogName='System';Id=7045} | Select-Object TimeCreated, @{N='ServiceName';E={$_.Properties[0].Value}}, @{N='ImagePath';E={$_.Properties[1].Value}}, @{N='ServiceType';E={$_.Properties[2].Value}}, @{N='StartType';E={$_.Properties[3].Value}}, @{N='AccountName';E={$_.Properties[4].Value}} # Find all log clearing events (Event ID 104) Get-WinEvent -FilterHashtable @{LogName='System';Id=104} | Select-Object TimeCreated, @{N='ClearedLog';E={$_.Properties[0].Value}}, @{N='SubjectUser';E={$_.Properties[1].Value}} # Find service start-type changes (Event ID 7040) Get-WinEvent -FilterHashtable @{LogName='System';Id=7040} | Select-Object TimeCreated, Message | Format-List # Query an offline .evtx file Get-WinEvent -Path 'C:\Evidence\System.evtx' -FilterXPath "*[System[(EventID=7045)]]"
Retention & Persistence
| Property | Default Setting | Recommendation |
|---|---|---|
| Maximum log size | 20 MB | Increase to 256 MB – 1 GB for servers; 128 MB for workstations |
| Retention method | Overwrite as needed (circular) | Keep circular; forward to SIEM for long-term retention |
| Survives reboot | Yes | — |
| Survives OS reinstall | No — destroyed with the OS partition | Forward to SIEM; include in regular forensic image backups |
| Effective retention at 20 MB | Days to weeks (activity-dependent) | High-activity DCs may retain only 2–3 days at default size |
On domain controllers and critical servers, the default 20 MB System log may retain only 2–3 days of events during active periods. Increase to at least 256 MB (wevtutil sl System /ms:268435456) and forward all events to a SIEM with long-term retention. The cost of additional disk space is negligible compared to the cost of lost evidence.
Anti-Forensics Resilience
System.evtx has strong anti-forensics resilience for most attacks, with one critical exception: direct log clearing by an administrator-level attacker.
| Method | Clears System.evtx? | Detection |
|---|---|---|
| wevtutil cl System | Yes — clears all entries | Event ID 104 is written before the clear completes, but on a quiet system the new log may show only the 104 event |
| CCleaner | Optional — if Event Logs module is selected | If cleared, Event ID 104 records the action; CCleaner process execution recorded in other artifacts |
| Deletion of .evtx file | Not possible while service is running | Event Log service locks the file; requires stopping the service first (which generates Event ID 7036) |
| Stopping Event Log service | Does not clear; stops recording | Event ID 7036 records the service stopping; absence of subsequent events is itself suspicious |
| Log size overflow | Oldest events overwritten | Not an attack per se, but natural evidence loss; increase log size to mitigate |
| Timestomping system clock | No — but corrupts timeline | Event ID 1 (Kernel-General) records old and new time; cross-reference with network time sources |
When an attacker clears any event log, Event ID 104 is recorded in System.evtx. If they then clear System.evtx, a new Event ID 104 is written to the freshly cleared System.evtx. The attacker can never fully erase the evidence of clearing without disabling the Event Log service first — which itself generates events (7036, 7034). This creates a forensic trail that is extremely difficult to fully eliminate.
MITRE ATT&CK Detection Mapping
System.evtx provides direct detection capability for the following MITRE ATT&CK techniques:
| Technique | Name | System.evtx Evidence |
|---|---|---|
T1543.003 T1543.003 | Create or Modify System Process: Windows Service | Event ID 7045 records every new service installation with binary path and account |
T1569.002 T1569.002 | System Services: Service Execution | Events 7035/7036 record service start commands and state transitions |
T1070.001 T1070.001 | Indicator Removal: Clear Windows Event Logs | Event ID 104 records which log was cleared and by which account |
T1562.001 T1562.001 | Impair Defenses: Disable or Modify Tools | Event ID 7040 when security service start types change to Disabled |
T1070.006 T1070.006 | Indicator Removal: Timestomp | Event ID 1 (Kernel-General) records system time changes with old and new values |
T1014 T1014 | Rootkit | Driver load events record kernel-mode driver installations that may indicate rootkit deployment |
Related Artifacts & Cross-References
Complementary Artifacts
| Artifact | Relationship to System.evtx | Cross-Correlation Value |
|---|---|---|
| Security.evtx | Process creation (4688), logon events (4624/4625), privilege use (4672) | Security.evtx provides the “who logged in”; System.evtx provides the “what services changed” |
| PowerShell Operational | Script block logging (4104) reveals commands behind service creation | If a service was created via PowerShell, the script content is in the PowerShell log |
| Sysmon | Process creation (Event 1), network connections (Event 3) | Sysmon provides the process tree and command line; System.evtx provides service context |
| SYSTEM registry hive | Contains the current service configuration | Registry shows current state; System.evtx shows historical state transitions |
| Prefetch | Confirms execution of service binaries | Prefetch provides run count; System.evtx provides service installation timeline |
| Shimcache/Amcache | Records file metadata for executed service binaries | File hash and compilation timestamp for service binaries identified in 7045 events |
References
- Eric Zimmerman, “EvtxECmd — EVTX Parser” — https://ericzimmerman.github.io/
- WithSecure, “Chainsaw — Rapid EVTX Hunting” — https://github.com/WithSecureLabs/chainsaw
- Yamato Security, “Hayabusa — Windows Event Log Analyzer” — https://github.com/Yamato-Security/hayabusa
- SANS Institute, “Windows Event Log Reference” — https://www.sans.org/posters/windows-forensic-analysis/
- Microsoft, “Service Control Manager Events” — https://learn.microsoft.com
- JPCERT/CC, “Tool Analysis Result Sheet — PsExec” — https://jpcertcc.github.io/ToolAnalysisResultSheet/
- SigmaHQ, “Sigma Detection Rules” — https://github.com/SigmaHQ/sigma
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in Windows event log analysis, service-based persistence detection, and enterprise-scale log hunting across thousands of endpoints.
mjolnirsecurity.com — 24/7: +1 833 403 5875