Find the service creation date in Windows?

There is no way to determine the creation date for a particular Windows service as both the services applet and the Windows registry does not store any dates relating to creations.

There is, however, a last modified date which is hidden away from view (including in the Windows registry editor) but can be accessed using RegQueryInfoKey. Since all Windows services stored in the registry, you can check the Last Modified Date against the registry keys related to the service in question by looking in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Alternatively, if you export the registry key(s) you want information on as a text file, the last modified date for each key is written in the text file.

enter image description here

Finally, a solution using PowerShell to return the Last Modified Date has already been discussed on Stack Overflow.


Starting in Vista, service creation is logged to the "System" event log under Service Control Manager event ID 7045.

For example, the following command:

C:\>sc create hello binpath= notepad.exe
[SC] CreateService SUCCESS

Produced the following event log entry:

Log Name:      System
Source:        Service Control Manager
Date:          12/16/2014 3:00:00 PM
Event ID:      7045
Task Category: None
Level:         Information
Keywords:      Classic
User:          DOMAIN\username
Computer:      WORKSTATION.DOMAIN.local
Description:
A service was installed in the system.

Service Name:  hello
Service File Name:  notepad.exe
Service Type:  user mode service
Service Start Type:  demand start
Service Account:  LocalSystem

Tags:

Forensics