Sometimes you may need to display who logons your server except for the authenticated domain users. It could be authenticated users from the trusted domain, local users, system services, etc. First, we define that we will filter the Security log by Event Id = 4624 (as we did before). The event description of this event looks like An account was successfully logged on. Subject: … Read More »
When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use… Read More »
A key instrument for event logs analysis is the function of event filtering. All known event log analysis tools have filtering feature, and I suppose, it is the most demanded feature of these applications. Setting filter for the most of event fields is easy. As a rule, all the event log applications let you filter by timeframe, event level, source, event IDs, users or computers… Read More »
In my previous post, I explained how to display logon type for logon events in Security log and described meaning of some values. Here I will give you more information about logon types. The descriptions of some events (4624, 4625) in Security log commonly contain some information about “logon type”, but it is too brief: The logon type field indicates the kind of logon that occurred.… Read More »
One of the most important tasks in the security event log analysis is to find out who or what logs your system on. Here I will explain how Event Log Explorer helps you to solve this task. First, you need to make sure that Windows security auditing is enabled for logon events. You can do this using Local Security Policy or Group Policy, depending on… Read More »