Windows Event Logs

1. Introduction

Windows logs contain a multitude of structured data within several log providers. In this module you will learn about common logs and how to view important things happening on your system.

Events can be viewed both with the command-line PowerShell and the graphical Event Viewer. Find the latter by typing "Event Viewer" into the Start menu and open it.

Upon opening the Event Viewer, you'll find various event provider categories:

  • Custom Views contains views you can create to collect other events in a single place.

  • Windows Logs contains events from the system (this is the most important category).

  • Applications and Services Logs contains events from everything else (applications and services, both from Microsoft and 3rd parties).

In the latter two categories, you will find various providers such as Application and Security. Clicking on a provider will show its events in a list in the middle. Event lists can be overwhelming, so it is usually a good idea to filter the log for what you are looking for with the Filter Current Log... button on the right. This filter can be cleared with the Clear Filter... button.

2. Common Events

2.1 Password Change (Event ID 4723 and 4724)

One of the events in the event log is the password change event that goes by the event IDs 4723 and 4724. This event gets triggered every time the password of an account gets changed. Most security-related events, including this one, can be found in Windows Logs -> Security. Since there are way too many events to go through them manually, you should set up a filter for the event IDs with the Filter Current Log... button on the right sidebar.

2.2 User Account Created (Event ID 4720)

The User Account creation event ID is 4720 and it is triggered when a new account is created. This event can be used to find out who created an account and when. Since there are many events in the log with this ID, you will have to use a more specific filter this time.

2.3 User added to group (EventID 4728,4732,4756)

There are also various events (4728, 4732 and 4756) for when a user was added to a group

2.4 Windows Firewall

Windows Firewall events show changes to the firewall, such as allowing network access to a new service or changing which ports allow inbound connections. These events can be investigated for misconfigurations or unauthorized changes to the Firewall. Unlike the other events covered so far, this one belongs under an application log provider and will not appear in the Windows Logs category. Instead, you must visit Applications and Services Logs -> Microsoft -> Windows -> Windows Firewall With Advanced Security -> Firewall.

  • Locate the Windows Firewall logs under Applications and Services Logs -> Microsoft -> Windows -> Windows Firewall With Advanced Security -> Firewall.

  • Find the event for the Allow Database access firewall rule.

  • Answer the question below:

What is the full application path of the event?

2.5 Registry Access

If you were to look for events related to the registry in the event log, you wouldn't find any! This is because there are many kinds of events that are not logged by default and this includes registry events. However, logging for these events can be enabled in the Local Security Policy. Find it in the start menu and go to the Local Policies -> Audit Policy section. From here, you can choose to Audit object access, which among other resources also includes logging events for the registry.

Last updated