Author Archives: Michael Karsyan

Windows Event Viewer cannot read classic event logs anymore

Although era of Windows XP is over, there are still a great number of PCs running this operating system or Windows 2003 Server. According to different researches, in 2018 Windows XP market share was more than 4% of all desktop operating systems. Windows 2003 Server still has more than 10% of server operating systems. Moreover, Microsoft still supports Windows Embedded POSReady 2009 which is based on Windows XP.

This means that millions of computers across the globe still run XP-based OS and log their events in classic (evt) event logs.

When Windows Vista appeared in 2007, it introduced a new event log format along with new Event Viewer. This Event Viewer went through Windows 7, 8, and got to Windows 10 practically unchanged. It was designed to open event log files in both formats – new (evtx) and legacy (evt).

Unfortunately, Windows API doesn’t support evt files anymore and API function OpenBackupEventLog returns error 1500  (Log file is corrupted) when opening evt files. That’s why many third-party event viewers cannot read evt files on modern Windows. Event Viewer parses evt files and displays them like native evtx files. However, Windows 10 Event Viewer stopped working correctly.  First, we noticed that it doesn’t display event date and time for evt log files exported with Event Log Explorer (our application can export events to legacy format). Suggesting that this issue could be a bug of Event Log Explorer, we took several event log files from Windows XP – we saved several event logs as files using Windows XP Event Viewer and got a couple of “live” legacy event logs. In every case, Windows 10 Event Viewer failed to display event datetime for these log files.

Windows Event Viewer doesn't display date time of classic legacy logs.

Since event timestamp is a key field for any forensic examination, this makes impossible using Windows Event Viewer as a forensic tool for legacy log analysis.

Event Log Explorer doesn’t have this problem and displays event date and time correctly.

Event Log Explorer displays date and time correctly

Want to read evt files? Download Event Log Explorer now!

facebooktwittergoogle_plusredditpinterestlinkedinmail

Elodea – First Review

Recently we released a new product that collects events from different sources, sends them into a database and alerts on important events.

Elodea (acronym for Event Log Dispatcher and Event Alerter).

The program and its documentation are available on this page:

https://eventlogxp.com/elodea.html

In this article I will demonstrate how to setup and configure Elodea on your PC.

To simplify the demonstration process, we will work solely with a local computer. But you can use this experience when setting up Elodea in your network.

First, you will need to install Microsoft SQL Server.

Elodea supports all SQL Servers editions (starting from SQL Server 2008), so you may try even free SQL Server Express available at

https://www.microsoft.com/sql-server/sql-server-editions-express

You can use any Windows (server or workstation) starting from Windows Server 2008 (or Windows Vista).

Install SQL Server on your computer. You can setup it with the default installation options.

It is not necessary, but I would recommend to install SQL Server Management Studio (SSMS). SQL Server installer may prompt you to install SSMS or you can download it from

https://docs.microsoft.com/sql/ssms/download-sql-server-management-studio-ssms

Download Elodea and Event Log Explorer from

https://eventlogxp.com/download.html

Start Elodea installer by running file elodea_setup.exe

Follow the setup wizard steps. When the Setup prompts you to install Collector Service, select to install it under a User account and input your own Windows user name and password in the related lines.

Elodea - service setup.

We will run the service under a user account because SQL Server Express by default enables only Windows user authentication and assigns the dbo rights to a user who installed the SQL Server.

Now you can configure Elodea by starting Elodea Event Collector Settings from Windows Start menu.

Elodea - Service tab

Review the Settings tab and make sure that the service not started. Switch to the Db Connection tab to configure database connection.

Input localhost\SQLEXPRESS into Db Connection (this is the default instance name for SQL Server Express on a local computer, you can also use COMPUTER_NAME\ SQLEXPRESS).

Elodea DB connection tab

Click Create new database to create a new database. A new window will appear.

Create a new database

Click Connect button, type Elodea into the Database name, and then click Create button. You will see a message that the database was created, then this window will be closed and the program will connect to this new database.

Switch to SMTP Connection to set up connection to a SMTP server to receive alerts from Elodea.

SMTP settings

Type your SMTP server name, input SMTP port number and enable SSL connection if required. Enter your name and your password and then click Check now to verify connection and save your settings.

Switch to the Feeds tab.

Feed is a special Elodea entity that describes what events and from what sources will be collected by Elodea.

Elodea feeds

Create a feed for Application events by clicking on Add feed button.

Create a new feed

Type AppEvents into as feed name and change Description mode to 3 – all. Click Ok.

Create a subscription in AppEvents feed

Then create a subscription in this Feed by clicking on Add subscription button.

Set Subscription model to Push and set XML query to __application_all.xml. Click Test button to verify the selected XML query is valid. Press OK button.

We created a Standard feed subscribing to all application events on a local computer.

Let’s create a feed that receive error events from Application and System logs and sends email notifications on errors:

Create Add feed button.

Type Errors into Feed name, change Type to Alarm and change Description mode to 3.

Create Alarm feed

Note that a new type Actions appear in the top of this window. Switch to this tab.

Action details on alarm feed

Select Email option, then input your email details into From, To and Subject fields. Make sure that addresses are valid. Set Template to __default.txt and click OK button.

Press Add subscription, set Subscription model to Push and set XML query to __application_system_error.xml, then press OK.

Now you have 2 feeds, AppEvents and Errors.

Let’s try it! Switch to the Service tab and click Start and make sure that the service status has changed to running. Make several events in the application log.

Open Windows Command Prompt and type commands:

eventcreate /id:1 /d:"test event" /t:Information
eventcreate /id:2 /d:"test event" /t:Warning
eventcreate /id:3 /d:"test event" /t:Error
eventcreate /id:4 /d:"test event" /t:Information 
EventCreate command

Let’s view what is in the database. You can check it using SQL Server Management Studio, but it is better to view the database using Event Log Explorer:

Start Event Log Explorer.

Select Database -> Connect from the main menu.

Enter localhost\SQLEXPRESS into Database server field, tick Use operating system authentication, type Elodea into Database name field, then click OK.

Now you can load tables. Select Database -> Load table from the main menu.

Select fd_AppEvents, then select Database -> Load table again and select fd_Errors.

2 tabs will appear in Event Log Explorer:

fd_AppEvents

AppEvents feed in Event Log Explorer

fd_Errors

Errors feed in Event Log Explorer

And you can work with these tables in Event Log Explorer as you work with a general event logs. E.g. you can run analytical reports for these events:

Elodea

Error feed should also collect errors from the system log. Test it:

eventcreate /id:100 /d:"test event" /t:Error
/l:System 

Verify email notifications:

email notification about error event

Now you can quit Elodea event collector settings – the collector service will continue working all the time when your computer is on.

facebooktwittergoogle_plusredditpinterestlinkedinmail

Event Log Database Exporter

One of the great features in Event Log Explorer 4.7 is a command line utility to export event logs to the database (eldbx.exe). Using this utility, you can make a centralized storage of events for better forensic investigations and improve system and security management on your network.

In the previous article I described how to export events into the database directly from Event Log Explorer application. You can use new Database -> Upload to table command to save a current log view into a SQL table. However, this method has a number of drawbacks:

  • You need to open event log before export
  • It is difficult to export many logs in a row
  • If exporting XML data option enabled, the whole export procedure may take very long time.

Event Log Database Export Utility (eldbx.exe) is free of these drawbacks.  It’s a console utility and you can use it in batch files to export different logs in a row. And it is always exporting XML data fast enough.

The utility is described in Event Log Explorer documentation.

The output table is compatible with Elodea table format. And you can load the exported tables in Event Log Explorer using Database -> Load table command.

How to use Event Log Database Exporter.

The utility is compatible with Microsoft SQL Server (or SQL Server Express) 2008 or better.

First, we recommend you to create a separate database for the logs. You can create it from Event Log Explorer as described in Using Event Log Explorer to access database events or create it using SQL Server utilities (e.g. Microsoft SQL Server Management Studio).

Alternatively, you can create the database using the utility itself:
Just run it using CreateDB command. E.g. if you have SQL Server Express installed on your local machine, to create database Events on it, just run the utility as follows:

eldbx CREATEDB /DBSERVER:localhost\SqlExpress /DBNAME:Events

eldbx will try to connect SQLServer using your current Windows credential and create database Events using default parameters. You can check other database settings on eldbx documentation page. For database tuning, I recommend using SQL Server Management Studio to create or alter the database – it gives maximum flexibility in fine-tuning the database.

Now, let’s export local system log into SQL table SysEvents.

eldbx EXPORT /DBSERVER:localhost\SqlExpress /DBNAME:Events /TABLE:SysEvents /LOGNAME:System

To export system log from another computer (Host1) and append its events to SysEvents table, run this command:

eldbx EXPORT /DBSERVER:localhost\SqlExpress /DBNAME:Events /TABLE:SysEvents  /TXA:append /HOST:Host1 /LOGNAME:System

This command assumes that your current user have access to the system event log from Host1. If your permissions are not enough, you can explicitly specify user name and password to access the log. Just add 2 parameters to the previous command line:

eldbx EXPORT /DBSERVER:localhost\SqlExpress /DBNAME:Events /TABLE:SysEvents  /TXA:append /HOST:Host1 /LOGNAME:System /User:username /Password:password

Export specific events

You may want to export only specific events.

Let’s export the Application event log without Information and Warning events and add the System log without Information events.

First, we need to create an XML query. Since the syntax of XML query allows to join different logs, we can get all the required events in one query and export it at once (without using /TXA:append option).

<QueryList>
  <Query Id="0">
    <Select Path="Application">*[System[(Level=1 or Level=2)]]</Select>
    <Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
  </Query>
</QueryList>

You can use Windows Event Viewer to create basic XML queries or edit them manually.

Save this query as a file (AppSys.xml).

Run eldbx as follows:

eldbx EXPORT /DBSERVER:localhost\SQLEXPRESS /DBNAME:Events /TABLE:SelectedEvents /QUERY:AppSys.xml

Database exporter will create SelectedEvents table, runs the query and copy all events that match query conditions to the table.

Let’s add Audit Failure Events from Security log on Host1 to this table:

Create XML query and save it as AF.xml

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[band(Keywords,4503599627370496)]]</Select>
  </Query>
</QueryList>

Run eldbx as follows:

eldbx EXPORT /DBSERVER:localhost\SQLEXPRESS /DBNAME:Events /TABLE:SelectedEvents /QUERY:AF.xml /TXA:append /HOST:Host1 /User:username /Password: password

Now you can run Event Log Explorer, connect the database and open exported tables.

facebooktwittergoogle_plusredditpinterestlinkedinmail

Using Event Log Explorer to access database events

Event Log Explorer 4.7 comes with new features to save events into SQL server database and load database events.

Saving events into a database gives you many advantages. You can consider event database as an event log backup. You can collect data from different computers in your network into one database and then use any reporting or analytical tools to create your own reports or carry out forensic analysis. You can view database events with Event Log Explorer like general Windows events, but Event Log Explorer uses power of SQL Server and deliver faster performance.

You should have Microsoft SQL Server 2008 or better or Microsoft SQL Server Express 2008 or better.

Event Log Explorer can use embedded into Windows Data Access Components (Windows DAC) to connect to SQL Server – it doesn’t require SQL Server Native Client. However, if you have Native Client installed, it will use it instead of Windows DAC.

Database connecting

To connect to the database, you should select Database -> Connect from the main menu.

Enter server instance name into database server. In most cases, you can enter the computer name of the database server. If you are connecting to SQL Server Express, use the computer name followed by \SQLEXPRESS.

Enable Use operating system authentication to connect using your Windows account. If your SQL server isn’t configured to support your Windows account, disable this option and enter SQL Server username and password.

Enter database name into Database name field. If you don’t have a database to store events, you can create it either with Event Log Explorer or with other tools.

If you want to create a database with Event Log Explorer, click Create new database button. Type server name and your credentials and click Connect button. Then type a new database name, fill in the database parameters and review the creation script. You can modify this script if you know what you do. Then click Create button to run the script and create the database.

Click Connect to connect the database.

Now you upload your events into database.

Saving events

Select Database -> Upload to table from the main menu.

Type table name in table name field

Enable option Export XML data if you want to get the most detailed information about event. Note that in this case, Event Log Explorer will extract XML information for each event and this may take a very, very long time. So, if you want to export XML data, we recommend using Event Log Database Export utility which comes with Event Log Explorer. I will describe this utility in another blog post.

Enable option Append if table exists if you want to add events to the existing table. In other case, if the table exists it will be overwritten.

Press OK to start uploading events.

Loading Events

To load events from the database table, select Database -> Load from table.

Select the required table from the list, then click OK.

Voila! Now you can work with the table as you work with a general event log.

Restrictions:

  1. Custom columns are not available for database events at the time
  2. Bookmarks are not available for database events at the time
  3. When filtering using regular expression (RegExp option), you cannot type the regular expression in PCRE format, you should type your regular expression as SQL Server LIKE template. E.g. if you want to find in description all events about DCOM error with the error code 298, you may type your template as
    %Unable to start a DCOM Server%298%

 facebooktwittergoogle_plusredditpinterestlinkedinmail

The fastest way to filter events by description

Filtering events by description is one of the most asked questions to us. Some time ago I wrote an article devoted to this problem.

Recently we had to check all events in the security log linked with a certain file (let’s say, it’s winword.exe, C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE). The easiest solution was to use Filter command and type file name in the “Text in description” line.

Filter by description

Commonly this works fine, but it scans all records in the log, forms event description for each event and looks for this phrase in the description. Forming event descriptions may require loading extra modules from the target computer (or a computer you designated as a description server) to load the description template. And although Event Log Explorer caches and reuses description templates, such filtering may take long time on large logs.

As a rule, security log stores file names, process names and other details in separate XML elements under  EventData and all these elements are named “Data”.

XML Record

So, we can make an XPath query to a log which compares each Data element with our search string. This query will look like:

*[EventData[Data="C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]]

To apply this filter, open Security event log, select View->XML Query, type your XPath expression and click OK.

XPath Query Data Filter

It executes swiftly and doesn’t load network when connecting a remote computer.

But what about the other logs? Many Windows events doesn’t have EventData element, but have UserData (some events have DebugData, BinaryEventData, or ProcessingErrorData instead). UserData commonly has an extra level of XML elements, so to query event by UserData, we should use the following XPath request:

*[UserData[*[*="C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]]]

And what if you want to check for the same file name in several logs, e.g. in Security, System and Application logs? It can be also done with one XML query:

<QueryList>
  <Query Id="0">
    <Select Path="Security">*[EventData[Data=
"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]] or 
    *[UserData[*[*=
"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]]]
    </Select>

    <Select Path="System">*[EventData[Data=
"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]] or 
    *[UserData[*[*=
"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]]]
    </Select>

    <Select Path="Application">*[EventData[Data=
"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]] or 
    *[UserData[*[*=
"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"]]]
    </Select>
  </Query>
</QueryList>

Here is the result of this query on my machine:

XML Query result (3 logs)

Advantages of this method

Such XML query provides great performance and works not only with Event Log Explorer, but with Windows Event Viewer or other event log programs which support XML queries.

Some applications and services logs don’t display all the information about event in the description, but still store their details under UserData or EventData elements (I described one of such logs in this article). So, filtering by description won’t work for such events,  but the XPath queries will.

Limitations

Although this approach lets you filter quickly by description details, it is limited by XPath 1.0 implementation for event logs. E.g. you can use only 3 functions: “position”, “Band” (binary and) and “timediff”. Function “contains” is not supported, so it’s impossible to filter just by filename (winword.exe). If you need to filter just by file name, you should use general filter by description.

Can we do something to bypass these limitations? I think so. Filtering by description parameters during log loading stage (and without forming descriptions) should work faster than general filter by description and it will be more flexible than Xpath. But it would be really great if Microsoft extends XPath functionality for event logs.facebooktwittergoogle_plusredditpinterestlinkedinmail

Troubleshooting unplanned Windows automatic wake-ups

Whenever I finish working with my computer, I almost never power it off. Instead I send the computer into sleep or hibernate state. This saves lots of time at startup – I can easily continue working without reloading all the projects. However I discovered that recently my Windows 10 laptop started to wake up unexpectedly.  Such unplanned wake-ups can damage computers, e.g. if a laptop left on a sofa, its air vents can be blocked, which leads to overheating.

First, I thought that it’s a Windows automatic maintenance issue and I should look into it. Let’s check it out.

Open Windows Control Panel, Security and Maintenance, Maintenance:

Automatic-Maintenance

Well, it looks like Windows started scheduled maintenance at night and that was the reason for the issue. Click Change maintenance settings.

Schedule-Maintenance-Settings

That’s quite strange. The scheduled time is different from the last run time and wake-up option is not ticked (if this option is ticked on your computer, untick it or change the maintenance time).

So, we need to investigate the problem deeper and check event logs. Start Event Log Explorer and open System log on a local computer. We can set filter by Microsoft-Windows-Kernel-Power, event id = 107 to get resume from sleep events, but this is not a very good way. The event time is almost equal to the sleep time because Windows hasn’t synchronized its clock with the hardware clock yet. We can get the hardware (real) time from XML details of this event (ProgrammedWakeTimeAc or ProgrammedWakeTimeDc), but it’s written in UTC format, so you will have to convert it into your local time.

Fortunately, there is a better way to get sleep/wake-up details. Set filter by Source = Microsoft-Windows-Power-Troubleshooter.

Microsoft-Windows-Power-Troubleshooter-FIlter

Now we can see sleep/resume events in the list. And here is our event along with the reason for waking up. It is NT TASK\Microsoft\Windows\UpdateOrchestrator\Reboot scheduled task.

Power-events-filtered

Let’s find this task.

Run Windows Task Scheduler.

In the left pane browse for Task Scheduler Library\Microsoft\Windows\UpdateOrchestrator

Double click on Reboot in the right pane.

Switch to Condition tab and disable Wake the computer to run the task.

UpdateOrchestrator-Reboot-NoWakeup

That’s it.  Now the computer won’t wake up unexpectedly.

UPDATE

After several days, the problem came back. It appears that Windows modifies Reboot task on its own and enables Wake option. I found some discussions about this issue on Microsoft’s forums, but didn’t get a reasonable solution.

So, I’ve created my own tool: UpdateOrchestrator\Reboot fix.

This tiny program disables Wake option for Update Orchestrator\Reboot task. When you run it, it checks if this option enabled. If so, it switches it off. You should run it elevated or it will fail to update the task.

To run it on regular basis, just create a new task in Task Scheduler. I scheduled to run it every hour and it’s more than enough.

Don’t forget that the program must be run elevated. I scheduled to run it from SYSTEM account:

FixUpdateOrch-SYSTEM

The program is available at http://eventlogxp.com/download/utils/UpdateOrchFix.exe and it’s free for any usage.facebooktwittergoogle_plusredditpinterestlinkedinmail

Access event logs from Windows recovery mode

Sometimes this happens. Your computer stops booting correctly and needs to be fixed. Even safe mode doesn’t help. You don’t know the reason of the fault – it may be a hardware failure or a driver bug, but you don’t want to reinstall the operating system. There is a good chance that Windows logs may contain some useful information for troubleshooting. However, you cannot boot into the system to read the logs. What can you do?

As a rule, you can disconnect your hard drive, connect it to another computer and read event logs as files there. But sometimes it is impossible (e.g. your drive is unremovable, inaccessible or you don’t have another computer with the same connection interface).

You may try to start your PC with the recovery console and then use Command Prompt.

The easiest way to access recovery console on Windows 7 is:

  1. Remove all removable disks (CDs, DVDs) from your computer, power on your computer.
  2. Press and hold the F8 key as your computer starts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need switch your PC off and restart it again.
    Windows 7 advanced boot options
  3. Select Repair Your Computer
    Windows 7 recovery options

Now you can click on Command Prompt. Voila, you may run Windows applications now!

You may get more information at
https://support.microsoft.com/en-us/help/17101/windows-7-system-recovery-options

Unfortunately, this approach commonly may fail with Windows 8 and Windows 10 (although it’s worth to try!). Please check this article which explains this issue:
https://blogs.msdn.microsoft.com/b8/2012/05/22/designing-for-pcs-that-boot-faster-than-ever-before/

To load into recovery console Microsoft suggests to boot your computer either with previously created recovery drive or use the installation media.
However I discovered that if you forcibly restart your computer several times when booting, Windows detects that something goes wrong and suggests to repair.
Windows didn't load correctly - repair options

Click “See advanced repair option”, then click Troubleshoot and then click “Advanced Options”.

On Advanced Options screen you can see different options to recover your PC, but since we decided to check logs first, select Command Prompt Option.

Now you are in.
Command Prompt

You may be surprised, but you will see X: drive in the command prompt.  This is a recovery drive and you can see it only in the recovery session.

Another surprise is that C: drive contains no data!

Your original C: drive would be probably drive D: now. You can check it by viewing its contents e.g. by typing
DIR D:\

Let’s try to view events. First we need to run Event Log Explorer. You may think that you can run Event Viewer, but Windows won’t be able to start neither eventvwr.exe nor eventvwr.msc.

If you have Event Log Explorer originally installed in C:\Program Files (x86)\Event Log Explorer, it’s now on D: drive and you can run it as follows:

“D:\Program Files (x86)\Event Log Explorer\elex.exe” (don’t forget to use double quotes or such paths).
event log explorer in recovery console

You can see a strange computer name in the tree and you will see no logs under this name. This happens because you are in recovery mode and Windows started in minimal configuration (eventlog service is disabled, Windows gives a random name to the PC).

However you can still access the original event logs as files. They are on the system drive in \Windows\System32\winevt\Logs\  folder.

So let’s try to open System log. It will be D:\Windows\System32\winevt\Logs\System.evtx file. You can use any open method – all of them should work correctly. I would recommend use New API since it’s a native method for modern Windows.
Viewing event files from recovery mode

Now you can explore your event logs and hopefully you will be able to locate and troubleshoot the problem.

 facebooktwittergoogle_plusredditpinterestlinkedinmail

Filtering all the way

You probably read in the documentation that Event Log Explorer provides 5 ways to filter events. In this article, I will try to explain when you should use one or the other way of filtering.

First, we can arrange filters on applying time:

  1. Pre-load filter. This filter applies to the event log before loading. Only the required events will be loaded.
  2. On-load filter. This filter applies to the event log at the loading stage. While loading, Event Log Explorer will check if an event fits the condition and filters event out.
  3. After-load. This filter applies to the event log after loading.

Pre-load filter is implemented as an XML structured query. Select View->XML Query from the main menu to set this filter. Like Windows Event Viewer you can use a full form of XML Query, but you can also use a short XPath expression. You can find more information about XML Queries at https://msdn.microsoft.com/en-us/library/windows/desktop/dd996910(v=vs.85).aspx

Pros: Works fast and relies on Windows Event Log service. Minimizes network traffic and memory consumption.

Cons: It’s easy to make mistakes when creating complex filters.

When to use: Use it mainly to create a base filter to filter inessential events out.

Example:

*[System[(Level=1  or Level=2 or Level=3)]]

XML filter

This filter displays only Warning, Error and Critical events.

On-load filter is implemented as log loading options feature. Use View->Log Loading Options to access Log Loading Options dialog. Alternatively you can enable default log loading options in Preferences.

Pros: Works fast, minimizes memory consumption.

Cons: Doesn’t filter by descriptions.

When to use: Like XML filter, you can use On-load filter as a base filter. I would recommend use this filter events by age. If you need to display a number of the latest events, On-load filter is the only option for you.

Example:

log loading filter

This filter displays events with Event ID between 4680 and 4689 registered within the last 7 days.

After-load filters are implemented as a general filter, linked filter and quick filters.

Select View->Filter to set a general filter or Advanced->Linked Event Filter to set a linked filter. You should use linked filters only for events that has one common field in event description. You can read more about linked filter usages in this article.

When using after-load filters, Event Log Explorer loads event first and then applies the filter. This gives you ability to reapply or remove filters to the originally loaded list of events. E.g. if you loaded a list from another computer and then this computer goes offline, you can still work with the log and filter events.

Pros: You can filter by virtually any criteria, including event description. You can reuse filters and manage filter library.

Cons: It doesn’t work as fast as pre-load or on-load filters because it loads all events first and then filters them. Consumes more memory than On-load filter.

When to use: You should use this filter whenever you are unable to use other filters (e.g. when you filter by descriptions) or when you need to apply different filters to the same event log.

Example:

general filter

This filter displays events with ID=4689 (process termination) for process name=chrome.exe

Quick filter is a special kind of after-load filter to refine events by a single criterion you can see on the screen. Just click right mouse button on a cell in the list view and use this cell as a template. After applying quick filter, you can continue applying quick filters – they will be applying altogether.

Pros: Easy to use and quick to apply. Non-persistent.

Cons: You can create only simple filters. Non-persistent.

As you can see, I attributed “Non-persistent” to both pros and cons. After each refresh of event log view or applying general or linked filters, Event Log Explorer resets quick filters. Sometimes it’s good because quick filters are commonly used to display specific data just for a short time, but sometimes users may want to keep filtered data between refreshes or event between Event Log Explorer sessions.

When to use: We recommend using quick filters when you browse events, find an interesting event and you want to check the other occurrences of this event.

quick filter

This filter displays events with EventID = 1001

Combining filters

All these filters work independently, so you can combine them. E.g. you can filter out informational events using XML query (   *[System[(Level  != 0 and Level  != 4)  ]]   ). Then you can set on-load filter by a specific event source, e.g. Microsoft Antimalware. Then using general filter you can filter by event description, specifying path to a file as a filter criterion. And finally, you apply quick filters using event date to view how many events of such a kind was recorded in the log.facebooktwittergoogle_plusredditpinterestlinkedinmail

Saving event logs to one event log file

When working with event logs, you may find that you have dozens of saved event log files, which you need to review sometimes. And it’s annoying to open each log to check it. Of course, you can open all these files at once (“Open log file” dialog lets you open multiple files) or you can just drag your files from Windows Explorer into Event Log Explorer window. But if you check these log files regularly, it is better to have a single file that contains all the events from these saved event logs. Windows utilities (Event Viewer, wevtutil.exe) don’t let you save (backup) several event logs in one file. As a workaround, you can configure forwarding and collecting events into one log, but in this case, it will collect only new events.

How Event Log Explorer may help you

First, you should merge different event logs in one view. It doesn’t matter whether these logs belong to one computer or to different PCs, domain or workgroup members. You can even mix event logs from Windows XP machines with Windows 10. Or you can merge saved event log files (or mix files with live event logs). To merge event logs, just open any of them, and then right click on the other logs in the tree and select Merge with Current View. If you want to merge files, you should select File->Merge Log File from the main menu. When logs are merged, you can see an icon with stack of logs merged event log view. If you hover mouse over this icon, you will see log names in the merged view.

Now you can save this log view to a file. Although you cannot do backup (due to Windows restrictions), you can simply save the event view to file. However, Event Log Explorer has allows you to save the event view as EVT file. Select File->Save Log As->Save Displayed Events. Moreover, unlike backup you can even filter merged event log before saving. Note that this option lets you save event log view only as EVT log file. It cannot save it in EVTX format. Now you can open this one saved event log and view events from different sources.facebooktwittergoogle_plusredditpinterestlinkedinmail

Process tracking with Event Log Explorer

When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking. After enabling process auditing, Windows will register the following events in Security log:

4688 – A new process has been created.
4689 – A process has exited.

Let’s check what events generated when we run an application. I will run Event Log Explorer (elex.exe) for test. Running this application generates a number of events. First, as expected, event 4688 was registered in Security log:

A new process has been created.
Subject:
            Security ID:                  S-1-5-21-1388294503-2733603710-2753204785-1000
            Account Name:                 Michael
            Account Domain:               MIKE-HP
            Logon ID:                     000332DD

Process Information:
            New Process ID:               0000254C
            New Process Name:             C:\Program Files (x86)\Event Log Explorer\elex.exe
            Token Elevation Type:         TokenElevationTypeLimited (3)
            Creator Process ID:           00001010
            Process Command Line:

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

However, the next event (event id 4689) shows that this process has exit immediately:

A process has exited.

Subject:
            Security ID:              S-1-5-21-1388294503-2733603710-2753204785-1000
            Account Name:             Michael
            Account Domain:           MIKE-HP
            Logon ID:                 000332DD

Process Information:
            Process ID:               0000254C
            Process Name:             C:\Program Files (x86)\Event Log Explorer\elex.exe
            Exit Status:              C000042C

Let’s explore fields in the event descriptions. Subject group is quite clear. Just pay attention to Logon ID – using this ID you can link these events with event 4624 (account logon, New Logon\Logon ID). Process Information group is more interesting for process tracking.

New Process ID (Process ID for 4689 event) defines the ID of Windows process (created or terminated). Note that it is in hexadecimal format, so you need to match with process IDs in Task Manager or other programs, you need to convert it into decimal value.

New Process Name (Process Name) the full path to the executable.

Token Elevation Type defines how the process runs under UAC (User Account Control). Token Elevation Types are described in the event description. “1” means that UAC is disabled (set to Never Notify) or your run the program from Administrator account or a service account (e.g. when system services start, they will register 4688 event with elevation type = 1). “2” means that the user ran the process elevated. This happens when the program manifests itself to run elevated or the user explicitly ran the program using Run as Administrator option. “3” means that the process has been ran without elevation.

Creator Process ID defines a process ID of the process that started this new process. Note that it is in hexadecimal format as well as New Process ID.

Process Command Line defines a command line used to start the process. It includes the full path to the executable along with command line parameters. By default, Process Command Line is empty (because it may contains sensitive data like passwords). To enable command line logging you should enable policy “Include command line in process creation events”. This policy is available at Administrative Templates -> System -> Audit Process Creation.

Exist status (in event 4689) – the process exit code. Zero value commonly means that the process has exited normally.

In my example we can see that elex.exe has been terminated immediately after start with exit code C000042C. This code indicates that the process required elevation. Why this happens. The program (elex.exe) is designed to run elevated. When I started it by clicking on its icon, Windows tried to run it first and only then detected the program requires elevation. That’s why it terminated current instance.

What’s next? The next event is 4688 and Windows starts consent.exe process. This program displays Window UAC dialog and prompts the user for permissions to run our program elevated. Then (if the user accepts elevation) Windows starts dllhost.exe process (event 4688) to provide running COM+ components, terminates consent.exe (event 4689) and at last starts elex.exe (event 4688 with Token Elevation Type = 2). This means that we can ignore processes that terminated immediately with exist status of C000042C and when tracking the processes, I would recommend to exclude the helper processes like consent.exe, dllhost.exe, conhost.exe, svchost.exe, taskhost.exe.

If I start the program  using “Run as administrator” option, Windows will not register first run/exit events, but register all the rest events (consent, dllhost, and elevated elex.exe).

Let’s practice

First we should filter Security log by event id = 4688, 4689. I will use Log Loading filter – but you can use general filter instead.

process-tracking-filter-4688-4689

Now we can display process name (path to the executable) in the list as custom columns. I will add 2 custom columns – Process started and Process Terminated.

process-tracking-custom-column

Let’s remove helper processes from the list. We can filter by description parameters:

 Process Information\Process Name  does not contain host.exe
 Process Information\New Process Name  does not contain host.exe
 Process Information\Process Name  does not contain consent.exe
 Process Information\New Process Name  does not contain consent.exe

process-tracking-filter-helper

Now we can see the result:

process-tracking-result

Windows 10

Windows 10 (and forthcoming Windows 2016) comes with modified details of event 4688. The most significant addition is that the event description contains Creator Process Name field. It defines the name of the process that started this new process.facebooktwittergoogle_plusredditpinterestlinkedinmail