Memo / Windows Eventlog
03 Jul 2020Summary
Brief memo about Windows event logs.
Environment
- Windows Server 2016 Standard Evaluation
Explanation
We can use a GUI app Event Viewer to manage event logs. Or we can use command line for the same purpose.
Windows event logs are stored in the following folder.
The format is EVTX.
C:\Windows\System32\winevt\Logs
Event Logs
1. Application:
Information logged by applications installed on the local machine.
2. Security:
Information related to login attempts, elevated privileges, and other audited events.
3. Setup:
Messages generated when installing and upgrading the Windows operating system, also domain controls events.
4. System:
Messages generated by the Windows operating system.
5. Forwarded Events:
Events sent to this computer from other computers.
Log levels
Each event log has these types of levels.
1. Info:
An event that describes the successful operation of an application, driver, or service.
2. Warning:
An event that is not necessarily significant, but may indicate a possible future problem.
3. Error:
A significant problem, such as loss of data or loss of functionality.
4. Success Audit:
An audited security access attempt that succeeds. Only for the security.
5. Failure Audit:
An audited security access attempt that fails. Only for the security.
Application events
Event file:
%SystemRoot%\System32\Winevt\Logs\Application.evtx
Security events
Event file:
%SystemRoot%\System32\Winevt\Logs\Security.evtx
Event ID 4624: Login success
Event ID 4625: Login failed
Event ID 4634: Log off
Event ID 4648: A logon was attempted using explicit credentials
This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
Most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
Event ID 4662: Directory Service Access
Active Directory logs this event when an user accesses an AD account
Event ID 4672: Special Logon
This event lets you know whenever an account assigned any “admin equivalent” user rights logs on.
Event ID 4768: Kerberos Authentication Service
Events for both successful and failed TGT requests.
Event ID 4769: Kerberos Service Ticket Operation
Events for both successful and failed service ticket requests.
System log
Event file:
%SystemRoot%\System32\Winevt\Logs\System.evtx
Event ID 7036: None
PowerShell
We have 2 cmdlets that we can deal with event logs.
Get-EventLog
Getting newest logs:
PS C:\Users\Administrator> get-eventlog -LogName Application -Newest 10
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
1231 Jul 02 05:17 0 Software Protecti... 1073742727 The Software Protection service has stopped....
1230 Jul 02 05:17 Information Software Protecti... 1073758208 Successfully scheduled Software Protection service for re-start at 2020-07-03T12:16:47Z. Reason: TBL.
1229 Jul 02 05:17 0 Software Protecti... 1073742726 The Software Protection service has started....
1228 Jul 02 05:17 Information Software Protecti... 2147484685 Time-based license remaining validity time 214222 minutes.
1227 Jul 02 05:17 Information Software Protecti... 1073742827 The Software Protection service has completed licensing status check....
1226 Jul 02 05:17 Information Software Protecti... 1073742890 Initialization status for service objects....
1225 Jul 02 05:17 Information Software Protecti... 1073742724 The Software Protection service is starting....
1224 Jul 02 05:12 Information ESENT 326 DFSRs (1940) \\.\C:\System Volume Information\DFSR\database_383A_FFA5_3AFF_5DF6\dfsr.db: The database engine attached a data...
1223 Jul 02 05:12 Information ESENT 105 DFSRs (1940) \\.\C:\System Volume Information\DFSR\database_383A_FFA5_3AFF_5DF6\dfsr.db: The database engine started a new i...
1222 Jul 02 05:12 Information ESENT 102 DFSRs (1940) \\.\C:\System Volume Information\DFSR\database_383A_FFA5_3AFF_5DF6\dfsr.db: The database engine (10.00.14393.00...
Getting log of specific period:
PS C:\Users\Administrator> get-eventlog -LogName Application -After 2020/07/01 -Before 2020/07/03
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
1231 Jul 02 05:17 0 Software Protecti... 1073742727 The Software Protection service has stopped....
1230 Jul 02 05:17 Information Software Protecti... 1073758208 Successfully scheduled Software Protection service for re-start at 2020-07-03T12:16:47Z. Reason: TBL.
1229 Jul 02 05:17 0 Software Protecti... 1073742726 The Software Protection service has started....
1228 Jul 02 05:17 Information Software Protecti... 2147484685 Time-based license remaining validity time 214222 minutes.
1227 Jul 02 05:17 Information Software Protecti... 1073742827 The Software Protection service has completed licensing status check....
1226 Jul 02 05:17 Information Software Protecti... 1073742890 Initialization status for service objects....
1225 Jul 02 05:17 Information Software Protecti... 1073742724 The Software Protection service is starting....
---
Get-WinEvent
Getting newest events:
PS C:\Users\Administrator> Get-WinEvent -ComputerName WIN-K0TMKMC41V4 -LogName system -MaxEvents 10
ProviderName: Service Control Manager
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
7/2/2020 9:28:29 AM 7036 Information The Microsoft Account Sign-in Assistant service entered the running state.
7/2/2020 9:28:29 AM 7036 Information The Update Orchestrator Service for Windows Update service entered the running state.
7/2/2020 9:28:26 AM 7036 Information The Windows Modules Installer service entered the running state.
7/2/2020 9:28:26 AM 7036 Information The Windows Update service entered the running state.
7/2/2020 9:26:31 AM 7036 Information The Windows Modules Installer service entered the stopped state.
7/2/2020 9:26:20 AM 7036 Information The Microsoft Passport service entered the stopped state.
7/2/2020 9:25:59 AM 7036 Information The Software Protection service entered the stopped state.
7/2/2020 9:25:28 AM 7036 Information The Software Protection service entered the running state.
7/2/2020 9:24:30 AM 7036 Information The Windows Modules Installer service entered the running state.
7/2/2020 9:24:23 AM 7036 Information The Network Setup Service service entered the stopped state.
Getting login events of specific period (Max 5):
PS C:\Users\Administrator> Get-WinEvent -FilterHashtable @{logname='security';id=4624;StartTime="2020/07/01";EndTime="2020/07/03"} -MaxEvents 5
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
7/2/2020 9:09:55 PM 4624 Information An account was successfully logged on....
7/2/2020 9:08:55 PM 4624 Information An account was successfully logged on....
7/2/2020 9:07:55 PM 4624 Information An account was successfully logged on....
7/2/2020 9:07:16 PM 4624 Information An account was successfully logged on....
7/2/2020 9:07:16 PM 4624 Information An account was successfully logged on....
Getting events from an event log file (Max 5):
PS C:\Users\Administrator> Get-WinEvent -Path C:\Windows\System32\Winevt\Logs\Security.evtx -MaxEvents 5
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
7/2/2020 9:16:56 PM 4634 Information An account was logged off....
7/2/2020 9:16:56 PM 4624 Information An account was successfully logged on....
7/2/2020 9:16:56 PM 4672 Information Special privileges assigned to new logon....
7/2/2020 9:16:41 PM 4634 Information An account was logged off....
7/2/2020 9:16:41 PM 4624 Information An account was successfully logged on....