Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

I have resigned from Microsoft and am moving to another company. I hope my blog has been helpful to...

Date: 06/10/2012

Here's an interesting thing for you security types to be aware of. Many of you probably are careful...

Date: 08/22/2011

I was browsing around looking for logging regulations and stumbled across this. It's the United...

Date: 05/27/2011

In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events...

Date: 04/28/2011

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into...

Date: 07/16/2010

Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry...

Date: 05/13/2010

UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new...

Date: 08/10/2009

I've written twice (here and here) about the relationship between the "old" event IDs (5xx-6xx) in...

Date: 06/10/2009

I've written before on noise reduction in the Windows security event log. I've also written to...

Date: 09/04/2008

I get the question fairly often, how to use the logon events in the audit log to track how long a...

Date: 08/20/2008

I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I...

Date: 07/17/2008

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode...

Date: 07/16/2008

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot...

Date: 07/16/2008

If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008,...

Date: 07/16/2008

I often talk about Ned, who is the current subject matter expert in Microsoft product support for...

Date: 04/19/2008

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy...

Date: 04/16/2008

There's one topic that I know is on everyone's mind- no, not American Idol- it's "What's new in...

Date: 03/05/2008

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is...

Date: 02/27/2008

Today I encountered something new in the logon event- I thought that was old hat and I knew all...

Date: 02/26/2008

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of...

Date: 02/01/2008

OK here's something I just remembered today. I may be the last person who remembers this so it's...

Date: 01/17/2008

I got the question last week, why there are so many logon failure events on Windows XP when it is...

Date: 11/09/2007

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published...

Date: 10/12/2007

A German court has ruled that a government web site may not retain IP addresses and other personally...

Date: 10/03/2007

As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate...

Date: 08/31/2007

https://arstechnica.com/news.ars/post/20070811-iphone-bill-is-surprisingly-xbox-huge-lol.html...

Date: 08/12/2007

This one kind of speaks for itself. I guess this is more of a privacy issue than a logging...

Date: 08/10/2007

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog...

Date: 07/31/2007

To comply with EC telecommunications logging directives (as other EU nations recently have), the UK...

Date: 07/31/2007

My friend Dr. Tina Bird has put together a good list of regulatory requirements that pertain to...

Date: 07/10/2007

A draft law (English translation) being proposed in Germany to enforce the European Mandatory Data...

Date: 06/26/2007

Working as I do for a company that exists because of copyright, I'm not particularly sympathetic to...

Date: 06/11/2007

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity...

Date: 05/08/2007

A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is...

Date: 05/03/2007

Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation...

Date: 05/03/2007

Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our...

Date: 04/18/2007

Woohoo! Thank you all for helping push my humble prose into the limelight. Our little community is...

Date: 02/08/2007

You might want to know where I go to get my information on audit events and so forth. Mostly I go to...

Date: 02/06/2007

I get asked the question pretty regularly how to determine from the security log whether a user...

Date: 02/05/2007

I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There...

Date: 10/26/2006

I get asked quite often "why is the Workstation name missing from some events?" I've explained that...

Date: 09/20/2006

Here is a link to an interesting blog article interpreting the audit requirement of the PCI...

Date: 09/12/2006

Source: https://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Here is the most relevant...

Date: 08/31/2006

Source: https://laws.justice.gc.ca/en/c-5/232082.html, 8/31/2006 Here are two excerpts from the...

Date: 08/31/2006

Those of you who know the long and sordid history of ACS (Audit Collection Services, which I blogged...

Date: 06/16/2006

While searching for something else, I stumbled across this post. Disclaimer: I have never used...

Date: 05/08/2006

I just became aware that LogLogic has posted an open-source log collection system called Lasso that...

Date: 05/08/2006

Randy Franklin Smith has a site with a very good reference to security event log events. Randy also...

Date: 03/20/2006

Next>