Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Tips   (RSS)

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) Read More...
Posted Wednesday, June 10, 2009 4:09 PM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Minimizing Directory Service Audit Event Noise

I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works . But, I still get questions on how to reduce noise from object access events. The other day I got that question, Read More...
Posted Thursday, September 04, 2008 2:51 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable . It works Read More...
Posted Wednesday, August 20, 2008 4:32 PM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Ned on Auditing

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point Read More...
Posted Saturday, April 19, 2008 8:14 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

You learn something new every day- Logon Type 0

Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field Read More...
Posted Tuesday, February 26, 2008 12:49 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

Why does Windows XP generate so many logon failure events?

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no Read More...
Posted Friday, November 09, 2007 3:23 PM by Eric Fitzgerald | 3 Comments
Filed under: ,

List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events Read More...
Posted Friday, October 12, 2007 11:45 AM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Help! Someone has deleted events from my Windows event log!

From time to time I hear this, and it usually turns out not to be the case. I'll begin with a little background. First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear Read More...
Posted Friday, August 10, 2007 3:59 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

Documentation on the Windows Vista and Windows Server 2008 Security Events

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...
Posted Tuesday, July 31, 2007 2:36 PM by Eric Fitzgerald | 2 Comments
Filed under: , , ,

The Trouble With Logoff Events

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense Read More...
Posted Tuesday, May 08, 2007 1:37 PM by Eric Fitzgerald | 2 Comments
Filed under: , ,

Enumerating Stuff in AD when all you see is GUIDs in Audit Records

A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is that? Well, the Event Viewer in Windows only translate one kind of AD guid, the objectGUID. However AD uses GUIDs in several ways. For instance, group policy Read More...
Posted Thursday, May 03, 2007 1:19 PM by Eric Fitzgerald | 0 Comments
Filed under:

Where do I get my information on Windows auditing?

You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers. For continuity-of-employment reasons I won't be posting a link to that here ;-) We have some old specs and some Read More...
Posted Tuesday, February 06, 2007 2:12 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

Determining Whether a User Logged on Using A Smart Card

I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time Read More...
Posted Monday, February 05, 2007 4:40 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

Trustworthiness of Information in Audit Records

I get asked quite often "why is the Workstation name missing from some events?" I've explained that elsewhere . But this raises another issue that many of you might not have considered, and I want to take a few minutes to explain. The Windows Security Read More...
Posted Wednesday, September 20, 2006 10:57 AM by Eric Fitzgerald | 2 Comments
Filed under:

A good 3rd-party reference to the Windows security event log

Randy Franklin Smith has a site with a very good reference to security event log events. Randy also does training on Windows security log analysis. Read More...
Posted Monday, March 20, 2006 11:31 AM by Eric Fitzgerald | 1 Comments
Filed under: ,
More Posts Next page »
 
Page view tracker