I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to you all! Feel free to contact me at my hotmail address (eric_fitzgerald). I'll be up and blogging somewhere else soon. Best regards, Eric

Here's an interesting thing for you security types to be aware of. Many of you probably are careful to screen attachment types to make sure that you don't unintentionally execute code that might be malicious. Malware authors have discovered that by...

I was browsing around looking for logging regulations and stumbled across this . It's the United State's federal regulation on EDRs - Event Data Recorders - installed in automobiles. EDRs are little log engines, like the "black box" flight data recorders...

In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value: 4720 - user account creation 4738 - user account change 4741 - computer account creation...

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we've always had auditing for changes to security...

Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that. I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better. Anyway a question...

UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new blog platform I get questions from time to time, such as my recent offline question from Steve, about what performance impact auditing has on the system...

I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID...

I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works . But, I still get questions on how to reduce noise from object access events. The other day I got that question,...

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable . It works...

I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I can just answer with a link :-) There are two DWORD registry values which affect backlog transmission. Both are on the collector machine under HKLM\System...

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don't properly get looked up. Some background: the event log in Windows prefers to log invariants such as message IDs, parameter...

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man's future prospects. See the story here . Well duh. The whole theory of...

If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks...

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point...

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format...

There's one topic that I know is on everyone's mind- no, not American Idol - it's "What's new in Auditing in Windows Server 2008?" Well, funny that you brought that up. My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security...

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS. Transformation is performed on...

Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field...

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of SystemCenter Operations Manager 2007 ). Two more of our partners, Enterprise Certified and NetPro , have released compliance solutions on top of ACS...

OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere. In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into...

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there...

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events...

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site. The judges pointed out that in many cases it...

As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate to enable logging on its servers and to subsequently make those logs available to the MPAA, the plaintiff in an illegal file-sharing lawsuit against TorrentSpy...