Windows Security Logging and Other Esoterica
thoughts from the Windows auditing team
I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to...
Date: 06/10/2012
Here's an interesting thing for you security types to be aware of. Many of you probably are careful...
Date: 08/22/2011
I was browsing around looking for logging regulations and stumbled across this. It's the United...
Date: 05/27/2011
In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events...
Date: 04/28/2011
Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into...
Date: 07/16/2010
Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry...
Date: 05/13/2010
UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new...
Date: 08/10/2009
I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in...
Date: 06/10/2009
I've written before on noise reduction in the Windows security event log. I've also written to...
Date: 09/04/2008
I get the question fairly often, how to use the logon events in the audit log to track how long a...
Date: 08/20/2008
I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I...
Date: 07/17/2008
We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode...
Date: 07/16/2008
A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot...
Date: 07/16/2008
If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008,...
Date: 07/16/2008
I often talk about Ned, who is the current subject matter expert in Microsoft product support for...
Date: 04/19/2008
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy...
Date: 04/16/2008
There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in...
Date: 03/05/2008
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is...
Date: 02/27/2008
Today I encountered something new in the logon event- I thought that was old hat and I knew all...
Date: 02/26/2008
Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of...
Date: 02/01/2008
OK here's something I just remembered today. I may be the last person who remembers this so it's...
Date: 01/17/2008
I got the question last week, why there are so many logon failure events on Windows XP when it is...
Date: 11/09/2007
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published...
Date: 10/12/2007
A German court has ruled that a government web site may not retain IP addresses and other personally...
Date: 10/03/2007
As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate...
Date: 08/31/2007
https://arstechnica.com/news.ars/post/20070811-iphone-bill-is-surprisingly-xbox-huge-lol.html...
Date: 08/12/2007
This one kind of speaks for itself. I guess this is more of a privacy issue than a logging...
Date: 08/10/2007
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog...
Date: 07/31/2007
To comply with EC telecommunications logging directives (as other EU nations recently have), the UK...
Date: 07/31/2007
My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to...
Date: 07/10/2007
Draft law in Germany may force telcos & ISPs to gather logs; Gmail Germany may shut down as a result
A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data...
Date: 06/26/2007
Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to...
Date: 06/11/2007
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity...
Date: 05/08/2007
A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is...
Date: 05/03/2007
Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation...
Date: 05/03/2007
Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our...
Date: 04/18/2007
Woohoo! Thank you all for helping push my humble prose into the limelight. Our little community is...
Date: 02/08/2007
You might want to know where I go to get my information on audit events and so forth. Mostly I go to...
Date: 02/06/2007
I get asked the question pretty regularly how to determine from the security log whether a user...
Date: 02/05/2007
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There...
Date: 10/26/2006
I get asked quite often "why is the Workstation name missing from some events?" I've explained that...
Date: 09/20/2006
Here is a link to an interesting blog article interpreting the audit requirement of the PCI...
Date: 09/12/2006
Source: https://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Here is the most relevant...
Date: 08/31/2006
Source: https://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006 Here are two excerpts from the...
Date: 08/31/2006
Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged...
Date: 06/16/2006
While searching for something else, I stumbled across this post. Disclaimer: I have never used...
Date: 05/08/2006
I just became aware that LogLogic has posted an open-source log collection system called Lasso that...
Date: 05/08/2006
Randy Franklin Smith has a site with a very good reference to security event log events. Randy also...
Date: 03/20/2006