Why does Windows XP generate so many logon failure events?

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design.  (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no “tell me if this user account…


List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions“.  This article was the “schema” so to speak, for the Windows NT 4.0 security event log events. Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based…


German court bans retention of logged IP addresses

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site. The judges pointed out that in many cases it was simple to map an IP address to an identity with…


Ensuring that there’s no useful data in your logs…

As I wrote about earlier, TorrentSpy, a file-sharing search engine, was ordered by a U.S. magistrate to enable logging on its servers and to subsequently make those logs available to the MPAA, the plaintiff in an illegal file-sharing lawsuit against TorrentSpy.  They have lost their appeals and as a result have decided to block US…


Voting Machine Logs + e-Government Laws = No Secrets When Voting

Researchers in the state of Ohio in the United States have discovered that by analyzing the logs produced (by law) from e-voting machines used in certain counties, they can determine the vote(s) each voter made.  Further, the logs, by law, must be produced on demand, as part of our open elections process. I haven’t read…


Help! Someone has deleted events from my Windows event log!

From time to time I hear this, and it usually turns out not to be the case. I’ll begin with a little background.First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear API but nothing else.  The eventlog team thought…


EZ-Pass Logs Used in Divorce Cases

This one kind of speaks for itself.  I guess this is more of a privacy issue than a logging issue.http://www.msnbc.msn.com/id/20216302/ [Edited 2010-08-06 by EricF- fixing broken link]


Documentation on the Windows Vista and Windows Server 2008 Security Events

I’m hearing lots of complaints that we don’t have KB articles on these yet.  Doriansoft has a blog post complaining that the “add 4096” rule doesn’t work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537, 539]). Well, In Vista…


United Kingdom passes EC telecom-logging legislation

To comply with EC telecommunications logging directives (as other EU nations recently have), the UK has passed a law that starting October 1 telecommunications firms must generate and retain logs of landline and mobile communications for one year. http://www.out-law.com/page-8332http://www.jisclegal.ac.uk/publications/dataretention.htm VoIP calls are not covered by the new law.