Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Browse by Tags

Tagged Content List
  • Blog Post: Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742

    In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value: 4720 - user account creation 4738 - user account change 4741 - computer account creation 4742 - computer account change This...
  • Blog Post: Auditing Changes to Audit Policy

    Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we've always had auditing for changes to security policy. Audit policy has always been one aspect...
  • Blog Post: XPath to generate a list of NTLM authentications on Windows Vista or Later

    Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that. I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better. Anyway a question that I hear regularly is, "how do I find all the...
  • Blog Post: Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

    I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03...
  • Blog Post: Windows Server 2008 Security Events Posted

    Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format, and that's propagating to the Microsoft Download...
  • Blog Post: You learn something new every day- Logon Type 0

    Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field called a Logon Type. This is a code that is passed...
  • Blog Post: I always wondered who Björn was...

    OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere. In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the auditing message file. I'm guessing that it...
  • Blog Post: Why does Windows XP generate so many logon failure events?

    I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no "tell me if this user account has a blank...
  • Blog Post: List of Windows Server 2003 Events

    So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events are not schematized until Windows Vista; or put...
  • Blog Post: Documentation on the Windows Vista and Windows Server 2008 Security Events

    I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537...
  • Blog Post: The Trouble With Logoff Events

    A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense they are deterministic. However like many...
  • Blog Post: How are object access events generated?

    I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via a call like CreateFile). An access...
  • Blog Post: Quick Overview of Object Access Auditing in Windows

    A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for permission to do". The distinction is subtle, but...
  • Blog Post: Privilege Use- what do we audit, and when?

    Odd thing today- I got two questions about the obscure " FullPrivilegeAuditing " registry setting- so I thought I'd post my answer. Some of this is not new, I posted on the Windows Server 2003 SP1 changes to auditing a while back. Events ID 577 and 578 are governed by the Privilege Use audit category...
  • Blog Post: Why don't I see the workstation name in logon events?

    Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly populate the workstation field of the logon request. I don't know if this is intentional or not. 2. There is no way to carry this information in LDAP requests; AD logon events will never have the...
  • Blog Post: Deciphering Account Logon Events

    One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories? The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, it's about credential validation. Here...
  • Blog Post: Events 528 and 540

    Logon events. Event 528 and Event 540 are the Logon events. Event 528 is for all logons except "network" logons. "Network" logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials may have come from over the network. All event...
Page 1 of 1 (17 items)