Windows Log Analysis

  • Description: Windows event IDs that help in log analysis. Most events are in the Security log, many only logged on Domain Controller

    • “Windows Event logs” or “Event Logs” are files in binary format (with .evtx extension), stored here:

      • Windows 2000 to WinXP/Windows Server 2003: %WinDir%\system32\Config*.evt

      • Windows Server 2008 to 2019, and Windows Vista to Win10: %WinDir%\system32\WinEVT\Logs*.evtx

  • Event Log Categories

    • Application: Events logged by an application (Execution, Deployment error, etc.)

    • System: Events logged by the Operating System (Device loading, startup errors, etc.)

    • Security: Events that are relevant to the security of the system (Logins and logouts, file deletion, granting of administration permissions, etc.)

    • Directory Service: This is a record available only to Domain Controllers, it stores Active Directory (AD) events

    • DNS Server: It is a record available only to DNS servers; logs of DNS service are stored

    • File Replication Service: Is a record available only for Domain Controllers, it stores Domain Controller Replication events

  • Events

    • User logon/logoff

      • Successful logon: 528, 540, 4624, 5379

      • Failed logon: 529-537, 539, 4625

      • Logoff: 538, 551, 4672, 4634, 4647

      • Special Logon: 4672

      • Logon attempt with explicit credentials: 4648

      • Replay attack detected: 4649

    • User account changes

      • Created 624, 4720

      • Enabled 626

      • Changed 642

      • Disabled 629

      • Deleted 630. 4726

      • Memeber added to security enabled group: 4732

    • Password changes

      • To self: 628

      • To others: 627

      • Password reset: 4724

    • File access events

      • A handle to an object was requested with intent to delete: 4659

      • A handle to an object was requested: 4656

      • The handle to an object was closed: 4658

      • An object was deleted: 4660

      • An attempt was made to access an object: 4663

      • The state of a transaction has changed: 4685

      • The state of a transaction has changed: 4985

    • Anamolous events

      • Service started or stopped: 7035, 7036

      • Object access denied (if auditing enabled): 560, 567

      • High number of deleted files: 4663

      • Changes to user rights assignments: 4704, 4717

      • Altered Audit and Account policies: 4719, 4739

      • Security log cleared: 1102

      • Reboot: 1074

      • SIDs filtered: 4675

      • New domain trust: 4706

  • Resources

PreviousWeb Server Log AnalysisNextSystems Forensics

Last updated