Windows Security Logging and Other Esoterica
thoughts from the Windows auditing team
Farewell for now...
I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to...
Date: 06/10/2012
Off Topic: Unicode Right-to-Left Override character used by malware
Here's an interesting thing for you security types to be aware of. Many of you probably are careful...
Date: 08/22/2011
An interesting logging regulation that doesn't apply to Windows event logs...
I was browsing around looking for logging regulations and stumbled across this. It's the United...
Date: 05/27/2011
Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events...
Date: 04/28/2011
Auditing Changes to Audit Policy
Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into...
Date: 07/16/2010
XPath to generate a list of NTLM authentications on Windows Vista or Later
Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry...
Date: 05/13/2010
Auditing system impact on performance
UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new...
Date: 08/10/2009
Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+
I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in...
Date: 06/10/2009
Minimizing Directory Service Audit Event Noise
I've written before on noise reduction in the Windows security event log. I've also written to...
Date: 09/04/2008
Tracking User Logon Activity Using Logon Events
I get the question fairly often, how to use the logon events in the audit log to track how long a...
Date: 08/20/2008
ACS Event Retention Mechanism
I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I...
Date: 07/17/2008
ACS' first bug from being too performant
We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode...
Date: 07/16/2008
If you're gonna herd bots, do it from New Zealand!
A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot...
Date: 07/16/2008
WEvtUtil Scripting
If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008,...
Date: 07/16/2008
Ned on Auditing
I often talk about Ned, who is the current subject matter expert in Microsoft product support for...
Date: 04/19/2008
Windows Server 2008 Security Events Posted
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy...
Date: 04/16/2008
Shameless Self-Promotion
There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in...
Date: 03/05/2008
ACS Event Transformation Demystified
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is...
Date: 02/27/2008
You learn something new every day- Logon Type 0
Today I encountered something new in the logon event- I thought that was old hat and I knew all...
Date: 02/26/2008
ACS Tidbits
Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of...
Date: 02/01/2008
I always wondered who Björn was...
OK here's something I just remembered today. I may be the last person who remembers this so it's...
Date: 01/17/2008
Why does Windows XP generate so many logon failure events?
I got the question last week, why there are so many logon failure events on Windows XP when it is...
Date: 11/09/2007
List of Windows Server 2003 Events
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published...
Date: 10/12/2007
German court bans retention of logged IP addresses
A German court has ruled that a government web site may not retain IP addresses and other personally...
Date: 10/03/2007
Ensuring that there's no useful data in your logs...
As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate...
Date: 08/31/2007
AT&T Team Up With Apple to Create Large-Scale Log Forwarding System Using Paper & US Postal Service
https://arstechnica.com/news.ars/post/20070811-iphone-bill-is-surprisingly-xbox-huge-lol.html...
Date: 08/12/2007
EZ-Pass Logs Used in Divorce Cases
This one kind of speaks for itself. I guess this is more of a privacy issue than a logging...
Date: 08/10/2007
Documentation on the Windows Vista and Windows Server 2008 Security Events
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog...
Date: 07/31/2007
United Kingdom passes EC telecom-logging legislation
To comply with EC telecommunications logging directives (as other EU nations recently have), the UK...
Date: 07/31/2007
Good List of Regulatory Requirements for Logging
My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to...
Date: 07/10/2007
Draft law in Germany may force telcos & ISPs to gather logs; Gmail Germany may shut down as a result
A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data...
Date: 06/26/2007
Not generating logs is not an option... when you're under subpoena
Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to...
Date: 06/11/2007
The Trouble With Logoff Events
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity...
Date: 05/08/2007
Enumerating Stuff in AD when all you see is GUIDs in Audit Records
A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is...
Date: 05/03/2007
Auditing the Creation of Domain Controllers
Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation...
Date: 05/03/2007
Vista security events get noticed
Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our...
Date: 04/18/2007
We're #294!
Woohoo! Thank you all for helping push my humble prose into the limelight. Our little community is...
Date: 02/08/2007
Where do I get my information on Windows auditing?
You might want to know where I go to get my information on audit events and so forth. Mostly I go to...
Date: 02/06/2007
Determining Whether a User Logged on Using A Smart Card
I get asked the question pretty regularly how to determine from the security log whether a user...
Date: 02/05/2007
How are object access events generated?
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There...
Date: 10/26/2006
Trustworthiness of Information in Audit Records
I get asked quite often "why is the Workstation name missing from some events?" I've explained that...
Date: 09/20/2006
Auditing and the Payment Card Industry (PCI) Data Security Standard
Here is a link to an interesting blog article interpreting the audit requirement of the PCI...
Date: 09/12/2006
Logs and the US Department of Justice Cybercrime Manual
Source: https://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Here is the most relevant...
Date: 08/31/2006
Logs and the Canadian Rules for Electronic Evidence
Source: https://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006 Here are two excerpts from the...
Date: 08/31/2006
ISV Writing Reports for Operations Manager Audit Collector (formerly ACS)
Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged...
Date: 06/16/2006
Sharepoint Portal Services Auditing Tool
While searching for something else, I stumbled across this post. Disclaimer: I have never used...
Date: 05/08/2006
LogLogic posts open-source Windows log collection tool
I just became aware that LogLogic has posted an open-source log collection system called Lasso that...
Date: 05/08/2006
A good 3rd-party reference to the Windows security event log
Randy Franklin Smith has a site with a very good reference to security event log events. Randy also...
Date: 03/20/2006