Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Vista security events get noticed

Vista security events get noticed

Rate This
  • Comments 5

Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our Vista-era security event IDs.

For most security events:
VistaEventId = PreVistaEventId + 4096

Why is this?

We needed to differentiate the Vista events from the pre-Vista events, because we were significantly changing the event content and didn't want to break automation.  However we wanted to preserve the knowledge that security professionals already had in their heads about security events, so we wanted to make sure that there was a relationship between old and new event IDs.

We decided to offset the old IDs by some constant to get the new IDs.  I wanted to offset them by a decimal number (say 6000, so 528 would become 6528, etc.).  However event IDs are declared in hex in the source code and are all 3 digits long (528 = 0x210), and Raghu, my developer, wanted to conserve effort, and he won that battle so we added 0x1000 (4096) to the existing event IDs.

Anyway, that's sometimes how things go.  Now you know the rest of the story.

Comments
  • When I tried to open a saved evt from a Vista machine (Event Viewer) I got the following detailed display for Event 540 (saved on Win2k3 server):

    Log Name:      \\10.72.204.188\c$\testthis.evt

    Source:        Security

    Date:          4/19/2007 6:52:15 PM

    Event ID:      540

    Task Category: Logon/Logoff

    Level:         Information

    Keywords:      Classic,Audit Success

    User:          SYSTEM

    Computer:      W2K3E204-188

    Description:

    The description for Event ID 540 from source Security cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    W2K3E204-188$

    BTCLAB

    (0x0,0x760CF6)

    3

    Kerberos

    Kerberos

    {0308bc30-b40d-e031-8757-d480468de3bb}

    -

    -

    -

    -

    -

    -

    -

    The substitution string for insert index (%1) could not be found

    Does this mean that older Event IDs are not mapped  in Vista at all??

    Also shouldn't have Event viewer read the event descriptions from  the Win2k3 server? I feel it just tried to get the description from the local EventMessageFile..

  • I will blog on this soon, but Vista event viewer doesn't do a good job with downlevel events.  Downlevel viewer won't open uplevel logs at all.  I was told that some people get better results by re-exporting the evt as evtx first but I have not tried this personally so YMMV.

  • I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post

  • I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a

  • I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in

Page 1 of 1 (5 items)
Leave a Comment
  • Please add 5 and 1 and type the answer here:
  • Post