Service Control Manager

91 events across 1 channel

Event	Title	Channel	Sample
7000	The param1 service failed to start due to the following error:	System	Y
7001	The param1 service depends on the param2 service which failed to start because …	System	Y
7002	The param1 service depends on the param2 group and no member of this group …	System	N
7003	The param1 service depends on the following service:	System	N
7005	The param1 call failed with the following error:	System	N
7006	The param1 call failed for param2 with the following error:	System	N
7007	The system reverted to its last known good configuration	System	Y
7008	No backslash is in the account name	System	N
7009	A timeout was reached (param1 milliseconds) while waiting for the param2 service …	System	Y
7010	A timeout (param1 milliseconds) was reached while waiting for ReadFile	System	N
7011	A timeout (param1 milliseconds) was reached while waiting for a transaction …	System	Y
7012	The message returned in the transaction has incorrect size	System	N
7013	Logon attempt with current password failed with the following error:	System	N
7014	Second logon attempt with old password also failed with the following error:	System	N
7016	The param1 service has reported an invalid current state	System	N
7017	Detected circular dependencies demand starting	System	N
7018	Detected circular dependencies auto-starting services	System	N
7019	The param1 service depends on a service in a group which starts later	System	N
7020	The param1 service depends on a group which starts later	System	N
7021	About to revert to the last known good configuration because the param1 service …	System	N
7022	The param1 service hung on starting	System	Y
7023	The param1 service terminated with the following error:	System	Y
7024	The param1 service terminated with the following service-specific error:	System	Y
7026	The following boot-start or system-start driver(s) did not load:	System	Y
7027	Windows could not be started as configured	System	N
7028	The param1 Registry key denied access to SYSTEM account programs so the Service …	System	N
7029	Service Control Manager	System	N
7030	The param1 service is marked as an interactive service	System	Y
7031	The param1 service terminated unexpectedly	System	Y
7032	The Service Control Manager tried to take a corrective action (param2) after the …	System	N
7034	The param1 service terminated unexpectedly	System	Y
7035	The param1 service was successfully sent a param2 control	System	N
7036	The Microsoft Software Shadow Copy Provider service entered the stopped state.	System	Y
7037	The Service Control Manager encountered an error undoing a configuration change …	System	N
7038	The param1 service was unable to log on as param2 with the currently configured …	System	Y
7039	A service process other than the one launched by the Service Control Manager …	System	N
7040	The start type of the msdsm service was changed from boot start to demand start.	System	Y
7041	The param1 service was unable to log on as param2 with the currently configured …	System	Y
7042	The param1 service was successfully sent a param2 control	System	Y
7043	The param1 service did not shut down properly after receiving a preshutdown …	System	Y
7044	The following service is taking more than param2 minutes to start and may have …	System	N
7045	A service was installed in the system.	System	Y
7046	The following service has repeatedly stopped responding to service control …	System	N
1073748859	The param1 service was successfully sent a param2 control.	System	N
1073748860	The param1 service entered the param2 state.	System	Y
1073748864	The start type of the param1 service was changed from param2 to param3.	System	Y
1073748866	The param1 service was successfully sent a param2 control.	System	Y
1073748869	A service was installed in the system.	System	Y
2147490687	A service process other than the one launched by the Service Control Manager …	System	N
2147490692	The following service is taking more than param2 minutes to start and may have …	System	N
2147490694	The following service has repeatedly stopped responding to service control …	System	N
2147490695	The following services failed to start during a run level switch: {Failed …	System	N
2147490696	A run level switch failed.	System	N
3221232472	The param1 service failed to start due to the following error: param2.	System	Y
3221232473	The param1 service depends on the param2 service which failed to start because …	System	Y
3221232474	The param1 service depends on the param2 group and no member of this group …	System	N
3221232475	The param1 service depends on the following service: param2.	System	N
3221232477	The param1 call failed with the following error: param2.	System	N
3221232478	The param1 call failed for param2 with the following error: param3.	System	N
3221232479	The system reverted to its last known good configuration.	System	Y
3221232480	No backslash is in the account name.	System	N
3221232481	A timeout was reached (param1 milliseconds) while waiting for the param2 service …	System	Y
3221232482	A timeout (param1 milliseconds) was reached while waiting for ReadFile.	System	N
3221232483	A timeout (param1 milliseconds) was reached while waiting for a transaction …	System	N
3221232484	The message returned in the transaction has incorrect size.	System	N
3221232485	Logon attempt with current password failed with the following error.	System	N
3221232486	Second logon attempt with old password also failed with the following error.	System	N
3221232487	Boot-start or system-start driver ({param1}) must not depend on a service.	System	N
3221232488	The param1 service has reported an invalid current state param2.	System	N
3221232489	Detected circular dependencies demand starting param1.	System	N
3221232490	Detected circular dependencies auto-starting services.	System	N
3221232491	The param1 service depends on a service in a group which starts later.	System	N
3221232492	The param1 service depends on a group which starts later.	System	N
3221232493	About to revert to the last known good configuration because the param1 service …	System	N
3221232494	The param1 service hung on starting.	System	N
3221232495	The param1 service terminated with the following error: param2.	System	Y
3221232496	The param1 service terminated with the following service-specific error: param2.	System	Y
3221232497	At least one service or driver failed during system startup.	System	N
3221232498	The following boot-start or system-start driver(s) did not load: param1.	System	Y
3221232499	Windows could not be started as configured.	System	N
3221232500	The param1 Registry key denied access to SYSTEM account programs so the Service …	System	N
3221232501	Service Control Manager	System	N
3221232502	The param1 service is marked as an interactive service.	System	Y
3221232503	The param1 service terminated unexpectedly.	System	Y
3221232504	The Service Control Manager tried to take a corrective action (param2) after the …	System	N
3221232505	The Service Control Manager did not initialize successfully.	System	N
3221232506	The param1 service terminated unexpectedly.	System	Y
3221232509	The Service Control Manager encountered an error undoing a configuration change …	System	N
3221232510	The param1 service was unable to log on as param2 with the currently configured …	System	Y
3221232513	The Service service was unable to log on as DomainAndAccount with the currently …	System	Y
3221232515	The param1 service did not shut down properly after receiving a preshutdown …	System	Y

Event ID 7000: The param1 service failed to start due to the following error:

Provider: Service Control Manager
Channel: System
Level: Error
Collection Priority: Recommended (Microsoft-WEF, others)

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7000,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-05-29T16:32:53.9016913+00:00",
    "event_record_id": 6718,
    "correlation": {},
    "execution": {
      "process_id": 804,
      "thread_id": 844
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "luafv",
    "param2": "%%1275"
  },
  "message": "The luafv service failed to start due to the following error: \r\nThis driver has been blocked from loading"
}

Event ID 7001: The param1 service depends on the param2 service which failed to start because of the following error:

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7001,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2022-04-04T08:05:16.553984+00:00",
    "event_record_id": 819,
    "correlation": {},
    "execution": {
      "process_id": 604,
      "thread_id": 5640
    },
    "channel": "System",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Microsoft Defender Antivirus Network Inspection Service",
    "param2": "Microsoft Defender Antivirus Network Inspection System Driver",
    "param3": "%%1062",
    "Binary": "570064004E00690073005300760063000000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7002: The param1 service depends on the param2 group and no member of this group started

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Event ID 7003: The param1 service depends on the following service:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Event ID 7005: The param1 call failed with the following error:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 7006: The param1 call failed for param2 with the following error:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 7007: The system reverted to its last known good configuration

Provider: Service Control Manager
Channel: System

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7007,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-17T19:22:46.0073056+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {}
}

Event ID 7008: No backslash is in the account name

Provider: Service Control Manager
Channel: System

Event ID 7009: A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7009,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-06-13T14:46:49.0019786+00:00",
    "event_record_id": 4626,
    "correlation": {},
    "execution": {
      "process_id": 752,
      "thread_id": 1976
    },
    "channel": "System",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "30000",
    "param2": "EtwGenPnpSvc"
  },
  "message": "A timeout was reached (30000 milliseconds) while waiting for the EtwGenPnpSvc service to connect."
}

Event ID 7010: A timeout (param1 milliseconds) was reached while waiting for ReadFile

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString

Event ID 7011: A timeout (param1 milliseconds) was reached while waiting for a transaction response from the param2 service

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7011,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2016-08-18T15:43:00.939453Z",
    "event_record_id": 5503,
    "correlation": {},
    "execution": {
      "process_id": 476,
      "thread_id": 200
    },
    "channel": "System",
    "computer": "IE10Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "30000",
    "param2": "ShellHWDetection"
  }
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7012: The message returned in the transaction has incorrect size

Provider: Service Control Manager
Channel: System

Event ID 7013: Logon attempt with current password failed with the following error:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString

Event ID 7014: Second logon attempt with old password also failed with the following error:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString

Event ID 7016: The param1 service has reported an invalid current state

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 7017: Detected circular dependencies demand starting

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Event ID 7018: Detected circular dependencies auto-starting services

Provider: Service Control Manager
Channel: System

Event ID 7019: The param1 service depends on a service in a group which starts later

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Event ID 7020: The param1 service depends on a group which starts later

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Event ID 7021: About to revert to the last known good configuration because the param1 service failed to start

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString

Event ID 7022: The param1 service hung on starting

Provider: Service Control Manager
Channel: System
Level: Error
Collection Priority: Recommended (NSA)

Fields #

Name	Description
`param1` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7022,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2022-03-04T08:47:55.688837+00:00",
    "event_record_id": 154,
    "correlation": {},
    "execution": {
      "process_id": 596,
      "thread_id": 2804
    },
    "channel": "System",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Network Connection Broker",
    "Binary": "4E006300620053006500720076006900630065000000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7023: The param1 service terminated with the following error:

Provider: Service Control Manager
Channel: System
Level: Error
Collection Priority: Recommended (NSA)

Fields #

Name	Description	Rules
`param1` UnicodeString		8 detection rules
`param2` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7023,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-06-13T05:08:37.7386929+00:00",
    "event_record_id": 7303,
    "correlation": {},
    "execution": {
      "process_id": 832,
      "thread_id": 7172
    },
    "channel": "System",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "SMB Witness",
    "param2": "%%1753"
  },
  "message": "The SMB Witness service terminated with the following error: \r\nThere are no more endpoints available from the endpoint mapper."
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Service Control Manager`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Windows Service Terminated With Error source low: Detects Windows services that got terminated for whatever reason
Important Windows Service Terminated With Error source high: Detects important or interesting Windows services that got terminated for whatever reason

Event ID 7024: The param1 service terminated with the following service-specific error:

Provider: Service Control Manager
Channel: System
Level: Error
Collection Priority: Recommended (NSA)

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7024,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2025-12-31T19:34:50.495914+00:00",
    "event_record_id": 320,
    "correlation": {},
    "execution": {
      "process_id": 844,
      "thread_id": 1716
    },
    "channel": "System",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Background Intelligent Transfer Service",
    "param2": "%%2147943515",
    "Binary": "42004900540053000000"
  },
  "message": ""
}

Event ID 7026: The following boot-start or system-start driver(s) did not load:

Provider: Service Control Manager
Channel: System
Level: Informational
Collection Priority: Recommended (NSA)

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7026,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-05-29T16:33:26.7146776+00:00",
    "event_record_id": 6793,
    "correlation": {},
    "execution": {
      "process_id": 804,
      "thread_id": 808
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "\ndam"
  },
  "message": "The following boot-start or system-start driver(s) did not load: \r\ndam"
}

Event ID 7027: Windows could not be started as configured

Provider: Service Control Manager
Channel: System

Event ID 7028: The param1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString

Event ID 7029: Service Control Manager

Provider: Service Control Manager
Channel: System

Event ID 7030: The param1 service is marked as an interactive service

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7030,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-04-18T00:26:39.6386558+00:00",
    "event_record_id": 177,
    "correlation": {},
    "execution": {
      "process_id": 828,
      "thread_id": 4952
    },
    "channel": "System",
    "computer": "USERUSE-I0E7KUG",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Printer Extensions and Notifications"
  },
  "message": "The Printer Extensions and Notifications service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly."
}

Event ID 7031: The param1 service terminated unexpectedly

Provider: Service Control Manager
Channel: System
Level: Error
Collection Priority: Recommended (NSA, others)

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7031,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2026-03-13T23:10:29.710970+00:00",
    "event_record_id": 12403,
    "correlation": {},
    "execution": {
      "process_id": 928,
      "thread_id": 13104
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Active Directory Federation Services",
    "param2": "1",
    "param3": "120000",
    "param4": "1",
    "param5": "Restart the service",
    "Binary": "61006400660073007300720076000000"
  },
  "message": ""
}

Event ID 7032: The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with the following error:

Provider: Service Control Manager
Channel: System
Collection Priority: Recommended (NSA)

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString

Event ID 7034: The param1 service terminated unexpectedly

Provider: Service Control Manager
Channel: System
Level: Error
Collection Priority: Recommended (NSA, others)

Fields #

Name	Description	Rules
`param1` UnicodeString		1 detection rule
`param2` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7034,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2023-10-25T22:56:14.228587+00:00",
    "event_record_id": 1465,
    "correlation": {},
    "execution": {
      "process_id": 800,
      "thread_id": 7704
    },
    "channel": "System",
    "computer": "WinDevEval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "OpenSSH SSH Server",
    "param2": "1",
    "Binary": "73007300680064000000"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Service Control Manager`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Important Windows Service Terminated Unexpectedly source high: Detects important or interesting Windows services that got terminated unexpectedly.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349369(v=ws.10)
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7035: The param1 service was successfully sent a param2 control

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 7036: The Microsoft Software Shadow Copy Provider service entered the stopped state.

Provider: Service Control Manager
Channel: System
Level: Informational
Collection Priority: Recommended (Palantir)

Fields #

Name	Description	Rules
`param1` UnicodeString		2 detection rules
`param2` UnicodeString		3 detection rules
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7036,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-05-30T01:03:50.8900253+00:00",
    "event_record_id": 6904,
    "correlation": {},
    "execution": {
      "process_id": 804,
      "thread_id": 1480
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Software Protection",
    "param2": "stopped"
  },
  "message": "The Software Protection service entered the stopped state."
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Service Control Manager`	3 rules	sigma
`param2`	eq	`stopped`	2 rules	sigma, splunk
`ServiceName`	contains	`ammyyadmin`	1 rule	sigma
`ServiceName`	contains	`atera`	1 rule	sigma
`ServiceName`	contains	`basupportexpresssrvcupdater`	1 rule	sigma
`ServiceName`	contains	`basupportexpressstandaloneservice`	1 rule	sigma
`ServiceName`	contains	`cachedump`	1 rule	kusto, sigma
`ServiceName`	contains	`chromoting`	1 rule	sigma
`ServiceName`	contains	`gotoassist`	1 rule	sigma
`ServiceName`	contains	`gotomypc`	1 rule	sigma
`ServiceName`	contains	`jumpcloud`	1 rule	sigma
`ServiceName`	contains	`lmiguardiansvc`	1 rule	sigma
`ServiceName`	contains	`logmein`	1 rule	sigma
`ServiceName`	contains	`monblanking`	1 rule	sigma
`ServiceName`	contains	`parsec`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Windows Defender Threat Detection Service Disabled source medium: Detects when the "Windows Defender Threat Protection" service is disabled.

Splunk # view in coverage

First Time Seen Running Windows Service source: The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is…
Windows Cisco Secure Endpoint Related Service Stopped source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume…
Windows Security And Backup Services Stop source: The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume…

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756308(v=ws.10)

Event ID 7037: The Service Control Manager encountered an error undoing a configuration change to the param1 service

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 7038: The param1 service was unable to log on as param2 with the currently configured password due to the following error:

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7038,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2026-03-13T19:07:40.053438+00:00",
    "event_record_id": 10993,
    "correlation": {},
    "execution": {
      "process_id": 864,
      "thread_id": 13408
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "wlidsvc",
    "param2": "NT AUTHORITY\\SYSTEM",
    "param3": "%%1722"
  },
  "message": ""
}

Event ID 7039: A service process other than the one launched by the Service Control Manager connected when starting the param1 service

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 7040: The start type of the msdsm service was changed from boot start to demand start.

Provider: Service Control Manager
Channel: System
Level: Informational
Collection Priority: Recommended (Palantir, others)

Fields #

Name	Description	Rules
`param1` UnicodeString		3 detection rules
`param2` UnicodeString
`param3` UnicodeString		2 detection rules
`param4` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7040,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-06-13T13:35:28.6930582+00:00",
    "event_record_id": 8618,
    "correlation": {},
    "execution": {
      "process_id": 864,
      "thread_id": 3192
    },
    "channel": "System",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "param1": "Cluster Disk Driver",
    "param2": "demand start",
    "param3": "system start",
    "param4": "ClusDisk"
  },
  "message": "The start type of the Cluster Disk Driver service was changed from demand start to system start."
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`count`	ge	`10`	1 rule	splunk

Detection Rules #

View all rules referencing this event →

Splunk # view in coverage

Windows Event For Service Disabled source: The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often…
Windows Excessive Disabled Services Event source: The following analytic identifies an excessive number of system events where services are modified from start to disabled. It leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host. This…
Windows Service Stop Win Updates source: The following analytic detects the disabling of Windows Update services, such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows Update." It leverages Windows System Event ID 7040 logs to identify changes in…

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756386(v=ws.10)

Event ID 7041: The param1 service was unable to log on as param2 with the currently configured password due to the following error:

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7041,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2026-03-13T20:17:37.908345+00:00",
    "event_record_id": 11763,
    "correlation": {},
    "execution": {
      "process_id": 960,
      "thread_id": 9408
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "EvtGenSvc",
    "param2": ".\\domainadmin"
  },
  "message": ""
}

Event ID 7042: The param1 service was successfully sent a param2 control

Provider: Service Control Manager
Channel: System
Level: Informational

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7042,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2022-04-04T12:00:04.609673+00:00",
    "event_record_id": 1436,
    "correlation": {},
    "execution": {
      "process_id": 604,
      "thread_id": 3184
    },
    "channel": "System",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "param1": "TCP/IP NetBIOS Helper",
    "param2": "stop",
    "param3": "0x40030011",
    "param4": "Operating System: Network Connectivity (Planned)",
    "param5": "None",
    "Binary": "6C006D0068006F007300740073000000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7043: The param1 service did not shut down properly after receiving a preshutdown control

Provider: Service Control Manager
Channel: System
Level: Error

Fields #

Name	Description
`param1` UnicodeString
`__binLength`
`BinaryData`

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "event_source_name": "Service Control Manager",
    "event_id": 7043,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2022-04-04T13:06:45.664309+00:00",
    "event_record_id": 1473,
    "correlation": {
      "ActivityID": "CDD19977-4814-0000-6779-D2CD1448D801"
    },
    "execution": {
      "process_id": 604,
      "thread_id": 512
    },
    "channel": "System",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Update Orchestrator Service",
    "Binary": "550073006F005300760063000000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7044: The following service is taking more than param2 minutes to start and may have stopped responding:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`__binLength` UInt32
`BinaryData` Binary

Event ID 7045: A service was installed in the system.

Provider: Service Control Manager
Channel: System
Level: Informational
Collection Priority: Recommended (Palantir, others)

Fields #

Name	Description	Rules
`ServiceName` UnicodeString	Name of the installed service	43 detection rules
`ImagePath` UnicodeString	Full path to the executable run when the service is started	143 detection rules
`ServiceType` UnicodeString	Known values `1` Kernel Driver `2` File System Driver `4` Adapter `8` Recognizer Driver `16` Own Process `32` Share Process `256` Interactive	4 detection rules
`StartType` UnicodeString	Known values `0` Boot `1` System `2` Automatic `3` Manual `4` Disabled
`AccountName` UnicodeString		1 detection rule

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
    "event_source_name": "",
    "event_id": 7045,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9187343239835811840,
    "time_created": "2026-06-13T05:51:28.3169110+00:00",
    "event_record_id": 6965,
    "correlation": {},
    "execution": {
      "process_id": 804,
      "thread_id": 6384
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ServiceName": "KslD",
    "ImagePath": "system32\\drivers\\wd\\KslD.sys",
    "ServiceType": "kernel mode driver",
    "StartType": "demand start",
    "AccountName": ""
  },
  "message": "A service was installed in the system.\r\n\r\nService Name:  KslD\r\nService File Name:  system32\\drivers\\wd\\KslD.sys\r\nService Type:  kernel mode driver\r\nService Start Type:  demand start\r\nService Account:  "
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Service Control Manager`	46 rules	sigma
`ImagePath`	contains	`cmd`	5 rules	sigma
`ImagePath`	contains	`powershell`	5 rules	sigma
`ImagePath`	contains	`&&`	4 rules	sigma
`ImagePath`	contains	`/c`	4 rules	sigma
`ImagePath`	contains	`rundll32`	4 rules	sigma
`ImagePath`	contains	`%comspec%`	2 rules	sigma
`ImagePath`	contains	`-f`	2 rules	sigma
`ImagePath`	contains	`/r`	2 rules	sigma
`ImagePath`	contains	`cachedump`	2 rules	kusto, sigma
`ImagePath`	contains	`fgexec`	2 rules	kusto, sigma
`ImagePath`	contains	`input`	2 rules	sigma
`ImagePath`	contains	`invoke`	2 rules	sigma
`ImagePath`	contains	`mimidrv`	2 rules	kusto, sigma
`ServiceName`	eq	`KrbSCM`	3 rules	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

CobaltStrike Service Installations - System source critical: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
smbexec.py Service Installation source high: Detects the use of smbexec.py tool by detecting a specific service installation
Invoke-Obfuscation CLIP+ Launcher - System source high: Detects Obfuscated use of Clip.exe to execute PowerShell

Show 17 more (48 total)

Invoke-Obfuscation Obfuscated IEX Invocation - System source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - System source high: Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - System source high: Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - System source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - System source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - System source high: Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - System source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - System source high: Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - System source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System source high: Detects Obfuscated Powershell via VAR++ LAUNCHER
KrbRelayUp Service Installation source high: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Credential Dumping Tools Service Execution - System source high: Detects well-known credential dumping tools execution via service execution events
Meterpreter or Cobalt Strike Getsystem Service Installation - System source high: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Moriya Rootkit - System source critical: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
PowerShell Scripts Installed as Services source high: Detects powershell script installed as a Service
Anydesk Remote Access Software Service Installation source medium: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
CSExec Service Installation source medium: Detects CSExec service installation and execution events

Splunk # view in coverage

Clop Ransomware Known Service Name source: The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for…
Malicious Powershell Executed As A Service source: The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific…
Randomly Generated Windows Service Name source: The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the ut_shannon function from the URL ToolBox Splunk…

Show 12 more (15 total)

Windows Bluetooth Service Installed From Uncommon Location source: Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where…
Windows Driver Load Non-Standard Path source: The following analytic detects the loading of new Kernel Mode Drivers from non-standard paths using Windows EventCode 7045. It identifies drivers not located in typical directories like Windows, Program Files, or SystemRoot. This activity…
Windows KrbRelayUp Service Creation source: The following analytic detects the creation of a service with the default name "KrbSCM" associated with the KrbRelayUp tool. It leverages Windows System Event Logs, specifically EventCode 7045, to identify this activity. This behavior is…
Windows Service Create RemComSvc source: The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the…
Windows Service Create SliverC2 source: The following analytic detects the creation of a Windows service named "Sliver" with the description "Sliver Implant," indicative of SliverC2 lateral movement using the PsExec module. It leverages Windows EventCode 7045 from the System…
Windows Service Created with Suspicious Service Name source: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the wineventlog_system to identify these services installations. This activity…
Windows Service Created with Suspicious Service Path source: The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the wineventlog_system to identify services installed outside…
Windows Snake Malware Service Create source: The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is…
Windows Vulnerable Driver Installed source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver…
Kernel Service Installed - Windows (Windows Event Log) source: Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).…
PSexec Service Creation (Windows Event Log) source: Detect creation of service for PSexec, as seen with Impackets PSexec.py or PSexec execution
Service Created containing Command Shell (Windows Event Log) source: This use case detects when a service has been created (event 7045) containing PowerShell or cmd commands

Kusto # view in coverage

Credential Dumping Tools - Service Installation source high: This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.

YARA-L # view in coverage

Suspicious Windows Service Installation Detected source: This detection rule identifies the creation of a Windows service with a suspicious or known malicious name, as logged by Windows Event ID 7045 (A service was installed in the system). Threat actors, including those associated with ransomware and other advanced persistent threats (APTs), often create services to achieve persistence, lateral movement, remote execution, or privilege escalation. Detection of such activity is critical for identifying early-stage post-compromise behavior.

References #

Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/persistence/evtx-7045-service-install.md

Event ID 7046: The following service has repeatedly stopped responding to service control requests:

Provider: Service Control Manager
Channel: System

Fields #

Name	Description
`param1` UnicodeString

Event ID 1073748859: The param1 service was successfully sent a param2 control.

Provider: Service Control Manager
Channel: System

Description

The param1 service was successfully sent a param2 control.

Message #

The %1 service was successfully sent a %2 control.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 1073748860: The param1 service entered the param2 state.

Provider: Service Control Manager
Channel: System

Description

The param1 service entered the param2 state.

Message #

The %1 service entered the %2 state.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7036,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-05-27T17:33:55.6315440+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "Network Setup Service",
    "param2": "stopped"
  }
}

Event ID 1073748864: The start type of the param1 service was changed from param2 to param3.

Provider: Service Control Manager
Channel: System

Description

The start type of the param1 service was changed from param2 to param3.

Message #

The start type of the %1 service was changed from %2 to %3.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7040,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-05-25T03:56:12.3421729+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param4": "BITS",
    "param2": "auto start",
    "param1": "Background Intelligent Transfer Service",
    "param3": "demand start"
  }
}

Event ID 1073748866: The param1 service was successfully sent a param2 control.

Provider: Service Control Manager
Channel: System

Description

The param1 service was successfully sent a param2 control.

Message #

The %1 service was successfully sent a %2 control.

 The reason specified was: %3 [%4]

 Comment: %5

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7042,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:18:51.2690981+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param5": "None",
    "param4": "Operating System: Network Connectivity (Planned)",
    "param2": "stop",
    "param1": "TCP/IP NetBIOS Helper",
    "param3": "0x40030011"
  }
}

Event ID 1073748869: A service was installed in the system.

Provider: Service Control Manager
Channel: System

Description

A service was installed in the system.

Message #

A service was installed in the system.

Service Name: %1
Service File Name: %2
Service Type: %3
Service Start Type: %4
Service Account: %5

Fields #

Name	Description
`ServiceName` UnicodeString
`ImagePath` UnicodeString
`ServiceType` UnicodeString	Known values `1` Kernel Driver `2` File System Driver `4` Adapter `8` Recognizer Driver `16` Own Process `32` Share Process `256` Interactive
`StartType` UnicodeString	Known values `0` Boot `1` System `2` Automatic `3` Manual `4` Disabled
`AccountName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7045,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-05-24T22:40:17.7122639+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "ServiceName": "KslD",
    "AccountName": null,
    "StartType": "demand start",
    "ServiceType": "kernel mode driver",
    "ImagePath": "system32\\drivers\\wd\\KslD.sys"
  }
}

Event ID 2147490687: A service process other than the one launched by the Service Control Manager connected when starting the param1 service.

Provider: Service Control Manager
Channel: System

Description

A service process other than the one launched by the Service Control Manager connected when starting the param1 service. The Service Control Manager launched process param2 and process param3 connected instead.

Message #

A service process other than the one launched by the Service Control Manager connected when starting the %1 service.  The Service Control Manager launched process %2 and process %3 connected instead.

  Note that if this service is configured to start under a debugger, this behavior is expected.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 2147490692: The following service is taking more than param2 minutes to start and may have stopped responding: param1 Contact your system administrator or service vend...

Provider: Service Control Manager
Channel: System

Description

The following service is taking more than param2 minutes to start and may have stopped responding: param1.

Message #

The following service is taking more than %2 minutes to start and may have stopped responding: %1

Contact your system administrator or service vendor for approximate startup times for this service.

If you think this service might be slowing system response or logon time, talk to your system administrator about whether the service should be disabled until the problem is identified.

You may have to restart the computer in safe mode before you can disable the service.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Event ID 2147490694: The following service has repeatedly stopped responding to service control requests: param1 Contact the service vendor or the system administrator abou...

Provider: Service Control Manager
Channel: System

Description

The following service has repeatedly stopped responding to service control requests: param1.

Message #

The following service has repeatedly stopped responding to service control requests: %1

Contact the service vendor or the system administrator about whether to disable this service until the problem is identified.

You may have to restart the computer in safe mode before you can disable the service.

Fields #

Name	Description
`param1` UnicodeString

Event ID 2147490695: The following services failed to start during a run level switch: {Failed Service Names}Please start the services manually and retry the run level ...

Provider: Service Control Manager
Channel: System

Message #

The following services failed to start during a run level switch: {Failed Service Names}Please start the services manually and retry the run level switch again or contact the service vendor or administrator.

Event ID 2147490696: A run level switch failed.

Provider: Service Control Manager
Channel: System

Message #

A run level switch failed. The {Failed Service Name} service did not stop correctly with the following error: {Error}Please stop this service manually and retry the run level switch again or contact the service vendor or administrator.

Fields #

Name	Description
`Error`

Event ID 3221232472: The param1 service failed to start due to the following error: param2.

Provider: Service Control Manager
Channel: System

Description

The param1 service failed to start due to the following error.

Message #

The %1 service failed to start due to the following error: 
%2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7000,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-04-23T08:40:26.2875562+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "luafv",
    "param2": "%%1275"
  }
}

Event ID 3221232473: The param1 service depends on the param2 service which failed to start because of the following error: param3.

Provider: Service Control Manager
Channel: System

Description

The param1 service depends on the param2 service which failed to start because of the following error.

Message #

The %1 service depends on the %2 service which failed to start because of the following error: 
%3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7001,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-04-23T08:40:34.9757061+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param2": "RemoteRegistry",
    "param1": "Dfs",
    "param3": "%%1058"
  }
}

Event ID 3221232474: The param1 service depends on the param2 group and no member of this group started.

Provider: Service Control Manager
Channel: System

Description

The param1 service depends on the param2 group and no member of this group started.

Message #

The %1 service depends on the %2 group and no member of this group started.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Event ID 3221232475: The param1 service depends on the following service: param2.

Provider: Service Control Manager
Channel: System

Description

The param1 service depends on the following service: param2. This service might not be installed.

Message #

The %1 service depends on the following service: %2. This service might not be installed.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Event ID 3221232477: The param1 call failed with the following error: param2.

Provider: Service Control Manager
Channel: System

Description

The param1 call failed with the following error.

Message #

The %1 call failed with the following error: 
%2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 3221232478: The param1 call failed for param2 with the following error: param3.

Provider: Service Control Manager
Channel: System

Description

The param1 call failed for param2 with the following error.

Message #

The %1 call failed for %2 with the following error: 
%3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 3221232479: The system reverted to its last known good configuration.

Provider: Service Control Manager
Channel: System

Description

The system reverted to its last known good configuration. The system is restarting....

Message #

The system reverted to its last known good configuration.  The system is restarting....

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7007,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-17T19:22:46.0073056+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {}
}

Event ID 3221232480: No backslash is in the account name.

Provider: Service Control Manager
Channel: System

Description

No backslash is in the account name. The account name must be in the form: domain\user.

Message #

No backslash is in the account name. The account name must be in the form: domain\user.

Event ID 3221232481: A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect.

Provider: Service Control Manager
Channel: System

Description

A timeout was reached (param1 milliseconds) while waiting for the param2 service to connect.

Message #

A timeout was reached (%1 milliseconds) while waiting for the %2 service to connect.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7009,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:18:33.1780438+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "30000",
    "param2": "EvtGen Test Service 1"
  }
}

Event ID 3221232482: A timeout (param1 milliseconds) was reached while waiting for ReadFile.

Provider: Service Control Manager
Channel: System

Description

A timeout (param1 milliseconds) was reached while waiting for ReadFile.

Message #

A timeout (%1 milliseconds) was reached while waiting for ReadFile.

Fields #

Name	Description
`param1` UnicodeString

Event ID 3221232483: A timeout (param1 milliseconds) was reached while waiting for a transaction response from the param2 service.

Provider: Service Control Manager
Channel: System

Description

A timeout (param1 milliseconds) was reached while waiting for a transaction response from the param2 service.

Message #

A timeout (%1 milliseconds) was reached while waiting for a transaction response from the %2 service.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 3221232484: The message returned in the transaction has incorrect size.

Provider: Service Control Manager
Channel: System

Description

The message returned in the transaction has incorrect size.

Message #

The message returned in the transaction has incorrect size.

Event ID 3221232485: Logon attempt with current password failed with the following error.

Provider: Service Control Manager
Channel: System

Description

Logon attempt with current password failed with the following error.

Message #

Logon attempt with current password failed with the following error: 
%1

Fields #

Name	Description
`param1` UnicodeString

Event ID 3221232486: Second logon attempt with old password also failed with the following error.

Provider: Service Control Manager
Channel: System

Description

Second logon attempt with old password also failed with the following error.

Message #

Second logon attempt with old password also failed with the following error: 
%1

Fields #

Name	Description
`param1` UnicodeString

Event ID 3221232487: Boot-start or system-start driver ({param1}) must not depend on a service.

Provider: Service Control Manager
Channel: System

Description

Boot-start or system-start driver ({param1}) must not depend on a service.

Message #

Boot-start or system-start driver ({param1}) must not depend on a service.

Fields #

Name	Description
`param1`

Event ID 3221232488: The param1 service has reported an invalid current state param2.

Provider: Service Control Manager
Channel: System

Description

The param1 service has reported an invalid current state param2.

Message #

The %1 service has reported an invalid current state %2.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 3221232489: Detected circular dependencies demand starting param1.

Provider: Service Control Manager
Channel: System

Description

Detected circular dependencies demand starting param1. Check the service dependency tree.

Message #

Detected circular dependencies demand starting %1. Check the service dependency tree.

Fields #

Name	Description
`param1` UnicodeString
`BinaryData` Binary

Event ID 3221232490: Detected circular dependencies auto-starting services.

Provider: Service Control Manager
Channel: System

Description

Detected circular dependencies auto-starting services. Check the service dependency tree.

Message #

Detected circular dependencies auto-starting services. Check the service dependency tree.

Event ID 3221232491: The param1 service depends on a service in a group which starts later.

Provider: Service Control Manager
Channel: System

Description

The param1 service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.

Message #

The %1 service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.

Fields #

Name	Description
`param1` UnicodeString
`BinaryData` Binary

Event ID 3221232492: The param1 service depends on a group which starts later.

Provider: Service Control Manager
Channel: System

Description

The param1 service depends on a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.

Message #

The %1 service depends on a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.

Fields #

Name	Description
`param1` UnicodeString
`BinaryData` Binary

Event ID 3221232493: About to revert to the last known good configuration because the param1 service failed to start.

Provider: Service Control Manager
Channel: System

Description

About to revert to the last known good configuration because the param1 service failed to start.

Message #

About to revert to the last known good configuration because the %1 service failed to start.

Fields #

Name	Description
`param1` UnicodeString

Event ID 3221232494: The param1 service hung on starting.

Provider: Service Control Manager
Channel: System

Description

The param1 service hung on starting.

Message #

The %1 service hung on starting.

Fields #

Name	Description
`param1` UnicodeString
`BinaryData` Binary

Event ID 3221232495: The param1 service terminated with the following error: param2.

Provider: Service Control Manager
Channel: System

Description

The param1 service terminated with the following error.

Message #

The %1 service terminated with the following error: 
%2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7023,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-17T19:23:53.2795014+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "SysMain",
    "param2": "%%87"
  }
}

Event ID 3221232496: The param1 service terminated with the following service-specific error: param2.

Provider: Service Control Manager
Channel: System

Description

The param1 service terminated with the following service-specific error.

Message #

The %1 service terminated with the following service-specific error: 
%2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7024,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-17T19:22:45.9604304+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "mpssvc",
    "param2": "%%1747"
  }
}

Event ID 3221232497: At least one service or driver failed during system startup.

Provider: Service Control Manager
Channel: System

Description

At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.

Message #

At least one service or driver failed during system startup.  Use Event Viewer to examine the event log for details.

Event ID 3221232498: The following boot-start or system-start driver(s) did not load: param1.

Provider: Service Control Manager
Channel: System

Description

The following boot-start or system-start driver(s) did not load: param1.

Message #

The following boot-start or system-start driver(s) did not load: %1

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7026,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-04-23T08:41:06.4457410+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "\ndam"
  }
}

Event ID 3221232499: Windows could not be started as configured.

Provider: Service Control Manager
Channel: System

Description

Windows could not be started as configured. Starting Windows using a previous working configuration.

Message #

Windows could not be started as configured. Starting Windows using a previous working configuration.

Event ID 3221232500: The param1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

Provider: Service Control Manager
Channel: System

Description

The param1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

Message #

The %1 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

Fields #

Name	Description
`param1` UnicodeString

Event ID 3221232501: Service Control Manager

Provider: Service Control Manager
Channel: System

Description

Service Control Manager.

Message #

Service Control Manager

Event ID 3221232502: The param1 service is marked as an interactive service.

Provider: Service Control Manager
Channel: System

Description

The param1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Message #

The %1 service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7030,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:18:02.9535937+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "EvtGenSvc3"
  }
}

Event ID 3221232503: The param1 service terminated unexpectedly.

Provider: Service Control Manager
Channel: System

Description

The param1 service terminated unexpectedly. It has done this param2 time(s). The following corrective action will be taken in param3 milliseconds: param5.

Message #

The %1 service terminated unexpectedly.  It has done this %2 time(s).  The following corrective action will be taken in %3 milliseconds: %5.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7031,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-15T04:27:06.7209807+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param5": "Restart the service",
    "param4": "1",
    "param2": "1",
    "param1": "COM+ System Application",
    "param3": "1000"
  }
}

Event ID 3221232504: The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with ...

Provider: Service Control Manager
Channel: System

Description

The Service Control Manager tried to take a corrective action (param2) after the unexpected termination of the param3 service, but this action failed with the following error.

Message #

The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: 
%4

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString

Event ID 3221232505: The Service Control Manager did not initialize successfully.

Provider: Service Control Manager
Channel: System

Description

The Service Control Manager did not initialize successfully. The security configuration server (scesrv.dll) failed to initialize with error {param1}. The system is restarting...

Message #

The Service Control Manager did not initialize successfully. The security configuration server (scesrv.dll) failed to initialize with error {param1}.  The system is restarting...

Fields #

Name	Description
`param1`

Event ID 3221232506: The param1 service terminated unexpectedly.

Provider: Service Control Manager
Channel: System

Description

The param1 service terminated unexpectedly. It has done this param2 time(s).

Message #

The %1 service terminated unexpectedly.  It has done this %2 time(s).

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7034,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-18T02:10:57.0237119+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "Elastic Winlogbeat 9.2.3",
    "param2": "1"
  }
}

Event ID 3221232509: The Service Control Manager encountered an error undoing a configuration change to the param1 service.

Provider: Service Control Manager
Channel: System

Description

The Service Control Manager encountered an error undoing a configuration change to the param1 service. The service's param2 is currently in an unpredictable state. If you do not correct this configuration, you may not be able to restart the param1 service or may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Message #

The Service Control Manager encountered an error undoing a configuration change to the %1 service.  The service's %2 is currently in an unpredictable state.  If you do not correct this configuration, you may not be able to restart the %1 service or may encounter other errors.  To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 3221232510: The param1 service was unable to log on as param2 with the currently configured password due to the following error.

Provider: Service Control Manager
Channel: System

Description

The param1 service was unable to log on as param2 with the currently configured password due to the following error.

Message #

The %1 service was unable to log on as %2 with the currently configured password due to the following error: 
%3

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7038,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-17T19:22:45.9604304+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param2": "NT Authority\\LocalService",
    "param1": "SstpSvc",
    "param3": "%%50"
  }
}

Event ID 3221232513: The Service service was unable to log on as DomainAndAccount with the currently configured password due to the following error: Logon failure: the user has not been g...

Provider: Service Control Manager
Channel: System

Description

The Service service was unable to log on as DomainAndAccount with the currently configured password due to the following error.

Message #

The %1 service was unable to log on as %2 with the currently configured password due to the following error: 
Logon failure: the user has not been granted the requested logon type at this computer.
 
Service: %1 
Domain and account: %2
 
This service account does not have the required user right "Log on as a service."
 
User Action
 
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
 
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7041,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:17:37.9083450+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "EvtGenSvc",
    "param2": ".\\domainadmin"
  }
}

Event ID 3221232515: The param1 service did not shut down properly after receiving a preshutdown control.

Provider: Service Control Manager
Channel: System

Description

The param1 service did not shut down properly after receiving a preshutdown control.

Message #

The %1 service did not shut down properly after receiving a preshutdown control.

Fields #

Name	Description
`param1` UnicodeString
`BinaryData` Binary

Example Event #

{
  "system": {
    "provider": "Service Control Manager",
    "event_id": 7043,
    "level": "Error",
    "task": null,
    "opcode": null,
    "time_created": "2026-04-23T15:32:23.2781270+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "param1": "Windows Defender Advanced Threat Protection Service"
  }
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 555908d1-a6d7-4695-8e1e-26931d2012f4

Defined in services.exe, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)