Hi Everyone,

Sas sent me an email complaining that I am not posting as often as I should- sorry about that.  I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better.

Anyway a question that I hear regularly is, "how do I find all the NTLM authentications on my network"?

Other than running a network trace, the best way I have found (ok invented :-)  to do this is to look at the logon events in the audit log.

One of the changes we made to the logon events in Windows Vista (and therefore subsequent releases of Windows) was to include the NTLM protocol level in the logon events, if the NTLM auth package was used.

Now, with the new EventLog ecosystem, it's easy to generate some XPath to find just these events.

Here's the query:

*[System

   [Provider

     [@Name='Microsoft-Windows-Security-Auditing']

       and Task = 12544

       and (band(Keywords,9007199254740992))

       and (EventID=4624)

   ]

   and

   EventData

     [Data

       [@Name='LmPackageName'] != '-'

     ]

 ]

 

To use this in Event Viewer:

  1. Find the Security log under Windows Logs in the tree pane.
  2. Right-click the Security log, and choose "Filter Current Log..."
  3. Select the "XML" tab.
  4. Check the "Edit query manually" box.
  5. Replace the default query ("*", or everything in the "<Select>" element), with the text in the box above.  I've formatted it for readability.
  6. Click OK

The event view will now be filtered and you'll only see NTLM logon events.  Additionally, each filtered event will contain a "Detailed Authentication Information" section containing the protocol level (e.g. LM, NTLM, NTLM V2) in the "Package Name" field, and the session key length, if one was negotiated.

Detailed Authentication Information:
            Logon Process: NtLmSsp
            Authentication Package: NTLM
            Transited Services: -
            Package Name (NTLM only): NTLM V2
            Key Length: 128