diff --git a/src/detections/system.rs b/src/detections/system.rs
index b84a3c2c..ba9175b9 100644
--- a/src/detections/system.rs
+++ b/src/detections/system.rs
@@ -1,3 +1,4 @@
+use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;
 
@@ -15,42 +16,73 @@ impl System {
         event_data: HashMap<String, String>,
     ) {
         self.system_log_clear(&event_id);
-        self.windows_event_log(&event_id, event_data);
-        self.new_service_created(&event_id);
-        self.interactive_service_warning(&event_id);
-        self.suspicious_service_name(&event_id);
+        self.windows_event_log(&event_id, &event_data);
+        self.new_service_created(&event_id, &event_data);
+        self.interactive_service_warning(&event_id, &event_data);
+        self.suspicious_service_name(&event_id, &event_data);
     }
 
-    fn new_service_created(&mut self, event_id: &String) {
+    fn new_service_created(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
         if event_id != "7045" {
-            return
+            return;
+        }
+
+        let servicename = &event_data["ServiceName"];
+        let commandline = &event_data["ImagePath"];
+        let text = utils::check_regex(&servicename, 1);
+        if !text.is_empty() {
+            println!("Message : New Service Created");
+            println!("Command : {}", commandline);
+            println!("Results : Service name: {}", servicename);
+            println!("Results : {}", text);
+        }
+        if !commandline.is_empty() {
+            utils::check_command(7045, &commandline, 1000, 0, &servicename, &"");
         }
     }
 
-    fn interactive_service_warning(&mut self, event_id: &String) {
+    fn interactive_service_warning(
+        &mut self,
+        event_id: &String,
+        event_data: &HashMap<String, String>,
+    ) {
         if event_id != "7030" {
-            return
+            return;
         }
+
+        let servicename = &event_data["param1"];
+        println!("Message : Interactive service warning");
+        println!("Results : Service name: {}", servicename);
+        println!("Results : Malware (and some third party software) trigger this warning");
+        println!("{}", utils::check_regex(&servicename, 1));
     }
 
-    fn suspicious_service_name(&mut self, event_id: &String) {
+    fn suspicious_service_name(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
         if event_id != "7036" {
-            return
+            return;
+        }
+
+        let servicename = &event_data["param1"];
+        let text = utils::check_regex(&servicename, 1);
+        if !text.is_empty() {
+            println!("Message : Suspicious Service Name");
+            println!("Results : Service name: {}", servicename);
+            println!("Results : {}", text);
         }
     }
 
     fn system_log_clear(&mut self, event_id: &String) {
         if event_id != "104" {
-            return
+            return;
         }
 
         println!("Message : System Log Clear");
         println!("Results : The System log was cleared.");
     }
 
-    fn windows_event_log(&mut self, event_id: &String, event_data: HashMap<String, String>) {
+    fn windows_event_log(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
         if event_id != "7040" {
-            return
+            return;
         }
 
         if let Some(_param1) = event_data.get("param1") {
diff --git a/src/detections/utils.rs b/src/detections/utils.rs
index dabc8814..deae75df 100644
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -51,9 +51,9 @@ pub fn check_command(
         .unwrap()
         .is_match(commandline)
     {
-        let re = Regex::new(r"^^.*:FromBase64String\(\'*").unwrap();
+        let re = Regex::new(r"^.*:FromBase64String\('*").unwrap();
         base64.push_str(&re.replace_all(commandline, ""));
-        let re = Regex::new(r"\'.*$").unwrap();
+        let re = Regex::new(r"'.*$").unwrap();
         base64.push_str(&re.replace_all(&base64.to_string(), ""));
     }
     if !base64.is_empty() {
@@ -61,12 +61,16 @@ pub fn check_command(
             .unwrap()
             .is_match(commandline)
         {
-            let decoded = base64::decode(base64).unwrap();
+            /*
+            if let decoded = base64::decode(&base64) {
             let mut d = GzDecoder::new(decoded.as_slice());
             let mut uncompressed = String::new();
             d.read_to_string(&mut uncompressed).unwrap();
             println!("Decoded : {}", uncompressed);
             text.push_str("Base64-encoded and compressed function\n");
+
+            }
+            */
         } else {
             let decoded = base64::decode(base64).unwrap();
             println!("Decoded : {}", str::from_utf8(decoded.as_slice()).unwrap());
@@ -76,6 +80,7 @@ pub fn check_command(
         }
     }
     if !text.is_empty() {
+        println!("EventID : {}", event_id);
         if servicecmd != 0 {
             println!("Message : Suspicious Service Command");
             println!("Results : Service name: {}\n", servicename);
@@ -84,7 +89,6 @@ pub fn check_command(
         }
         println!("command : {}", commandline);
         println!("result : {}", text);
-        println!("EventID : {}", event_id);
     }
 }
 
@@ -126,7 +130,7 @@ fn check_obfu(string: &str) -> std::string::String {
     return obfutext;
 }
 
-fn check_regex(string: &str, r#type: usize) -> std::string::String {
+pub fn check_regex(string: &str, r#type: usize) -> std::string::String {
     let empty = "".to_string();
     let mut regextext = "".to_string();
     for line in configs::singleton().regex {