Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
thoughts from the Windows auditing team
Farewell for now...
I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to...
Date: 06/10/2012
Off Topic: Unicode Right-to-Left Override character used by malware
Here's an interesting thing for you security types to be aware of. Many of you probably are careful...
Date: 08/22/2011
An interesting logging regulation that doesn't apply to Windows event logs...
I was browsing around looking for logging regulations and stumbled across this. It's the United...
Date: 05/27/2011
Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events...
Date: 04/28/2011
Auditing Changes to Audit Policy
Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into...
Date: 07/16/2010
XPath to generate a list of NTLM authentications on Windows Vista or Later
Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry...
Date: 05/13/2010
Auditing system impact on performance
UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new...
Date: 08/10/2009
Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+
I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in...
Date: 06/10/2009
Minimizing Directory Service Audit Event Noise
I've written before on noise reduction in the Windows security event log. I've also written to...
Date: 09/04/2008
Tracking User Logon Activity Using Logon Events
I get the question fairly often, how to use the logon events in the audit log to track how long a...
Date: 08/20/2008
ACS Event Retention Mechanism
I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I...
Date: 07/17/2008
ACS' first bug from being too performant
We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode...
Date: 07/16/2008
If you're gonna herd bots, do it from New Zealand!
A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot...
Date: 07/16/2008
WEvtUtil Scripting
If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008,...
Date: 07/16/2008
Ned on Auditing
I often talk about Ned, who is the current subject matter expert in Microsoft product support for...
Date: 04/19/2008
Windows Server 2008 Security Events Posted
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy...
Date: 04/16/2008
Shameless Self-Promotion
There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in...
Date: 03/05/2008
ACS Event Transformation Demystified
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is...
Date: 02/27/2008
You learn something new every day- Logon Type 0
Today I encountered something new in the logon event- I thought that was old hat and I knew all...
Date: 02/26/2008
ACS Tidbits
Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of...
Date: 02/01/2008
I always wondered who Björn was...
OK here's something I just remembered today. I may be the last person who remembers this so it's...
Date: 01/17/2008
Why does Windows XP generate so many logon failure events?
I got the question last week, why there are so many logon failure events on Windows XP when it is...
Date: 11/09/2007
List of Windows Server 2003 Events
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published...
Date: 10/12/2007
German court bans retention of logged IP addresses
A German court has ruled that a government web site may not retain IP addresses and other personally...
Date: 10/03/2007
Ensuring that there's no useful data in your logs...
As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate...
Date: 08/31/2007
AT&T Team Up With Apple to Create Large-Scale Log Forwarding System Using Paper & US Postal Service
https://arstechnica.com/news.ars/post/20070811-iphone-bill-is-surprisingly-xbox-huge-lol.html...
Date: 08/12/2007
EZ-Pass Logs Used in Divorce Cases
This one kind of speaks for itself. I guess this is more of a privacy issue than a logging...
Date: 08/10/2007
Documentation on the Windows Vista and Windows Server 2008 Security Events
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog...
Date: 07/31/2007
United Kingdom passes EC telecom-logging legislation
To comply with EC telecommunications logging directives (as other EU nations recently have), the UK...
Date: 07/31/2007
Good List of Regulatory Requirements for Logging
My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to...
Date: 07/10/2007
Draft law in Germany may force telcos & ISPs to gather logs; Gmail Germany may shut down as a result
A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data...
Date: 06/26/2007
Not generating logs is not an option... when you're under subpoena
Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to...
Date: 06/11/2007
The Trouble With Logoff Events
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity...
Date: 05/08/2007
Enumerating Stuff in AD when all you see is GUIDs in Audit Records
A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is...
Date: 05/03/2007
Auditing the Creation of Domain Controllers
Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation...
Date: 05/03/2007
Vista security events get noticed
Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our...
Date: 04/18/2007
We're #294!
Woohoo! Thank you all for helping push my humble prose into the limelight. Our little community is...
Date: 02/08/2007
Where do I get my information on Windows auditing?
You might want to know where I go to get my information on audit events and so forth. Mostly I go to...
Date: 02/06/2007
Determining Whether a User Logged on Using A Smart Card
I get asked the question pretty regularly how to determine from the security log whether a user...
Date: 02/05/2007
How are object access events generated?
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There...
Date: 10/26/2006
Trustworthiness of Information in Audit Records
I get asked quite often "why is the Workstation name missing from some events?" I've explained that...
Date: 09/20/2006
Auditing and the Payment Card Industry (PCI) Data Security Standard
Here is a link to an interesting blog article interpreting the audit requirement of the PCI...
Date: 09/12/2006
Logs and the US Department of Justice Cybercrime Manual
Source: https://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Here is the most relevant...
Date: 08/31/2006
Logs and the Canadian Rules for Electronic Evidence
Source: https://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006 Here are two excerpts from the...
Date: 08/31/2006
ISV Writing Reports for Operations Manager Audit Collector (formerly ACS)
Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged...
Date: 06/16/2006
Sharepoint Portal Services Auditing Tool
While searching for something else, I stumbled across this post. Disclaimer: I have never used...
Date: 05/08/2006
LogLogic posts open-source Windows log collection tool
I just became aware that LogLogic has posted an open-source log collection system called Lasso that...
Date: 05/08/2006
A good 3rd-party reference to the Windows security event log
Randy Franklin Smith has a site with a very good reference to security event log events. Randy also...
Date: 03/20/2006