Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
thoughts from the Windows auditing team
I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to...
Date: 06/10/2012
Here's an interesting thing for you security types to be aware of. Many of you probably are careful...
Date: 08/22/2011
I was browsing around looking for logging regulations and stumbled across this. It's the United...
Date: 05/27/2011
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events...
Date: 04/28/2011
Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into...
Date: 07/16/2010
Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry...
Date: 05/13/2010
UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new...
Date: 08/10/2009
I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in...
Date: 06/10/2009
I've written before on noise reduction in the Windows security event log. I've also written to...
Date: 09/04/2008
I get the question fairly often, how to use the logon events in the audit log to track how long a...
Date: 08/20/2008
I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I...
Date: 07/17/2008
We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode...
Date: 07/16/2008
A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot...
Date: 07/16/2008
If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008,...
Date: 07/16/2008
I often talk about Ned, who is the current subject matter expert in Microsoft product support for...
Date: 04/19/2008
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy...
Date: 04/16/2008
There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in...
Date: 03/05/2008
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is...
Date: 02/27/2008
Today I encountered something new in the logon event- I thought that was old hat and I knew all...
Date: 02/26/2008
Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of...
Date: 02/01/2008
OK here's something I just remembered today. I may be the last person who remembers this so it's...
Date: 01/17/2008
I got the question last week, why there are so many logon failure events on Windows XP when it is...
Date: 11/09/2007
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published...
Date: 10/12/2007
A German court has ruled that a government web site may not retain IP addresses and other personally...
Date: 10/03/2007
As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate...
Date: 08/31/2007
https://arstechnica.com/news.ars/post/20070811-iphone-bill-is-surprisingly-xbox-huge-lol.html...
Date: 08/12/2007
This one kind of speaks for itself. I guess this is more of a privacy issue than a logging...
Date: 08/10/2007
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog...
Date: 07/31/2007
To comply with EC telecommunications logging directives (as other EU nations recently have), the UK...
Date: 07/31/2007
My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to...
Date: 07/10/2007
Draft law in Germany may force telcos & ISPs to gather logs; Gmail Germany may shut down as a result
A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data...
Date: 06/26/2007
Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to...
Date: 06/11/2007
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity...
Date: 05/08/2007
A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is...
Date: 05/03/2007
Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation...
Date: 05/03/2007
Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our...
Date: 04/18/2007
Woohoo! Thank you all for helping push my humble prose into the limelight. Our little community is...
Date: 02/08/2007
You might want to know where I go to get my information on audit events and so forth. Mostly I go to...
Date: 02/06/2007
I get asked the question pretty regularly how to determine from the security log whether a user...
Date: 02/05/2007
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There...
Date: 10/26/2006
I get asked quite often "why is the Workstation name missing from some events?" I've explained that...
Date: 09/20/2006
Here is a link to an interesting blog article interpreting the audit requirement of the PCI...
Date: 09/12/2006
Source: https://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Here is the most relevant...
Date: 08/31/2006
Source: https://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006 Here are two excerpts from the...
Date: 08/31/2006
Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged...
Date: 06/16/2006
While searching for something else, I stumbled across this post. Disclaimer: I have never used...
Date: 05/08/2006
I just became aware that LogLogic has posted an open-source log collection system called Lasso that...
Date: 05/08/2006
Randy Franklin Smith has a site with a very good reference to security event log events. Randy also...
Date: 03/20/2006