Penetration Testing

Understating Guide of Windows Security Policies and Event Viewer

Hello friends! This article will be helpful to considerate the importance of event viewer and how to read the logs generated by event view that help in troubleshooting of any system or application problem.  

In order to view Event logs press “window key + R” to open run command and type “eventvwr.msc” then hit the enter key.

Windows Event Viewer is a tool which monitors the activity of your system by maintaining some kinds of log such as application log, system log and etc. It starts automatically when you turn on your system to assemble the details critical state about hardware and software. These logs help a system administrator to troubleshoot the problems of the machine and identify with what is going on. He could use Event Viewer to view and manage the event logs.

From the below image, you can observe the window screen is categories into three panels as described below:

The left side contains some folders which keep records of every task performed by machines such as windows log i.e. system or security.

 The middle part contains a list of events, it contains detail of every event occurred by recording their logs which are known as Event type such as “information, warning or error” and their details.

The right side presents a list of some other actions such as creating custom views, filtering, or even creating a scheduled task depends on a specific event.

Most Important Event Logs

Remarkably there are three kinds of Event Logs:

System Log: Any action or task performed by an operating system such as such an unexpected shutdown and turn ON/OFF of any service is recorded under the System log.

Application Log: The Application log records all events by programs such as successful installation or stops responding while running.

Security Log:  The Security log records security events, such as legitimate and unacceptable logon attempts which will represent as audit success for the valid attempt and audit failure for the invalid attempt.  These logs help in identifying any possible breaches to security. By default security log is disabled you need to enable them for your system through local security policy.

Enable Local Security Policy for Security logs

Now open Local security policy logs press “window key + R” to open run command and type “secpol.msc” then hit the enter key, then change the security setting for Audit policy under security setting > Local Policies> Audit policy in order to receive its log inside event viewer security logs.

From given below image you can observe that there is not any single security policy is auditing, which means it will not create any security log inside event viewer. 

Let’s enable any one policy for auditing to test what kind of security log will be generated when we will move into event viewer security log. Here I had chosen “Audit account logon event” for auditing.

It will open a new window for its property setting you as shown in given image Enable the checkbox for Success and Failure, click on apply to enable this policy for auditing.

Hence when a user will Enter password on logon screen it will generate log as audit success for valid login attempt and audit failure logs for the invalid attempt. 

Now you can observe from given below image it is showing auditing: success & failure for account logon event.

You can check it by login into your system and type the wrong password as invalid attempt and then finally enter the correct password for the valid attempt and then verify generated security logs for you this kind of action.

In order to view Security Event logs press “window key + R” to open run command and type “eventvwr.msc” then hit the enter key.

Now explore Security event logs under Windows logs, here you will observe some log entries generated by Security-Auditing as Audit success for valid login attempt and Audit failure for invalid login attempt.

Event Types

The details of logs are depended upon different types of event and event logs mainly classify in five categories as described below:

Event Type Definition
Error Considerable trouble, such as loss of data or loss of functionality or fault in problem execution.
Warning This type of event that might not be considered, but might point out a future problem.
Information An event that describes the successful operation of an application, driver, or service.
Success Audit An audited security access attempt that succeeds. {In security logs}
Failure Audit An audited security access attempt that fails. {In security logs}

From given below image you can observe that the logs are records in 5 columns to store their important details

Level: displays event type

Date and time: displays the date and time of event type when it generated

Source: the source of event type due to which event log is created.

Event Id: The Event Viewer uses event IDs to describe the uniquely identifiable events that a Windows computer can come upon. 

Task category: Used to represent activity of the event launcher program.

General Details of Event Log

Admin can take help of General property in order to read a brief description of the event log which could be helpful in troubleshooting of some problems. He can also read complete detail of property for any occurred event which is stored under Details Tab.

The general property contains the following information of an event log:

Property name Description
Log Name Window log category it may be system, application or security logs.
Source The source that produced the event. It might be an application or system component
Event Id The Event Viewer uses event IDs to describe the uniquely identifiable events that a Windows computer can come upon. 
Level Information, Warning, Error, Success Audit, and Failure Audit
User Display user name who has logged onto the computer when the event occurred
OpCode Operational code Contains a numeric value that identifies the activity or a point within an activity that the application was performing when it raised the event. For example, initialization or closing.
Logged The name of the log where the event was recorded
Task category: Used to represent activity of the event launcher program.
Keywords It can be used to filter or search for events. Such as “audit failure” or “Respond time.”
Computer The computer where the event occurred

Clear Logs

If you want to remove entire records of logs then move your cursor at the right side of window screen and click on option “clear log” under Action tab as shown in the given below image. Then a dialog box will pop up to confirm your action, here it lets you save the previous log in another location.   

 

Create a Custom Event

If you want to keep a record of specific event type for a particular task occurred then you can use “custom event” which will only keep records of those event type which you have defined for a particular service or application.

Again move your cursor at the right side of window screen and click on option “custom event” under Action tab as shown in the given below image.

A window screen will pop up which will generate a customized log according to you. From given below image you can observe that I wish to get few event types for which checkbox is enabled from event source as Remote access only for invalid login attempt.

This custom event log will be saved in a new folder “RDP” under event viewer > custom view. Enter the name for your event log and description as shown in the given below image. It decreases the level of records and makes ease in problem troubleshoot.

Deleting Event viewer from victims system

This section is applicable only for the hacked system, so if you have hacked any windows machine using Kali Linux and obtain victim’s meterpreter session then run given below command for deleting all record of logs from his system. Preserve yourself from being caught by any kind of investigation.

meterpreter> clearev

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here