XPath to generate a list of NTLM authentications on Windows Vista or Later

Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that.  I am working on a different project now but I am still in close touch with the auditing team and I’ll try to do better. Anyway a question that I hear regularly is, “how…


Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03. The exceptions are the logon events.  The logon…


WEvtUtil Scripting

If you haven’t used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you’re missing out.  The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn’t suffer from any of the drawbacks around getting field delimiting correct. The tool’s command to query…


Windows Server 2008 Security Events Posted

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base. Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center.  I’ll publish the link when it’s online….


Shameless Self-Promotion

There’s one topic that I know is on everyone’s mind- no, not American Idol- it’s “What’s new in Auditing in Windows Server 2008?” Well, funny that you brought that up.  My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Resource Kit, and he invited me to write a chapter about…


ACS Event Transformation Demystified

I’ve decided to start dumping my knowledge of ACS for posterity’s sake.  My first installment is here, and it’s an excerpt from an external email I put together which describes how event transformation works on ACS.   Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. …


ACS Tidbits

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of SystemCenter Operations Manager 2007). Two more of our partners, Enterprise Certified and NetPro, have released compliance solutions on top of ACS. Another of our partners with ACS-based compliance solutions, SecureVantage, has started a new blog where ACS is…


List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions”.  This article was the “schema” so to speak, for the Windows NT 4.0 security event log events. Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based…


Help! Someone has deleted events from my Windows event log!

From time to time I hear this, and it usually turns out not to be the case. I’ll begin with a little background.First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear API but nothing else.  The eventlog team thought…


Documentation on the Windows Vista and Windows Server 2008 Security Events

I’m hearing lots of complaints that we don’t have KB articles on these yet.  Doriansoft has a blog post complaining that the “add 4096” rule doesn’t work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537, 539]). Well, In Vista…