Event logs are an integral part of the Windows operating system, designed to record significant events and activities that occur on a computer. These logs contain a wealth of information about the system's behavior, including error messages, warnings, and informational events. Event logs are crucial for troubleshooting issues, monitoring system health, and analyzing security events.
Windows Event Viewer:
Events can be viewed easily with the command-line PowerShell and the graphical Event Viewer. Find the latter by typing "Event Viewer" into the Start menu and opening it. Upon opening the Event Viewer, you will find various event provider categories:
- Custom Views are customizable collections of events that can be created to consolidate various events into a single location.
- The Windows Logs category encompasses events originating from the system itself and is considered highly significant.
- Applications and Services Logs consist of events from a wide range of sources, including both Microsoft and third-party applications and services.
In the Applications and Services Logs categories, you'll discover a diverse range of applications and security providers. When you click on a specific provider, its associated events will be displayed in a list in the middle section of the Event Viewer. However, since event lists can be overwhelming, it is advisable to utilize the "Filter Current Log..." button located on the right side to narrow down the log to your desired criteria. If needed, the applied filter can be easily cleared using the "Clear Filter..." button.
In the event log, there are specific events known as password change events, identifiable by event IDs 4723 and 4724. These events are generated whenever an account's password is modified. To locate such security-related events, including password change events, you can navigate to the Windows Logs section and select the Security log.
Given the large number of events present, manually searching through them can be overwhelming. Therefore, it is recommended to create a filter for the event IDs using the "Filter Current Log..." button located in the right sidebar. By applying this filter, you can focus specifically on the events related to password changes, making it easier to analyze and review the relevant information.
Event ID 4720 is associated with the User Account creation event, which is triggered whenever a new account is created. This event is valuable for identifying the creator of the account and the timestamp of its creation. Considering the numerous events in the log that share this ID, it becomes necessary to apply a more specific filter to refine the search.
User Added to Group :
There were also various events (4728, 4732, and 4756) when a user was added to a group.
Windows Firewall events provide visibility into modifications made to the firewall settings, such as permitting network access to a new service or altering the ports allowing inbound connections. These events are particularly useful for investigating any misconfigurations or unauthorized changes to the firewall.
Unlike other events, Windows Firewall events are associated with an application log provider and are not found in the Windows Logs category. To access these events, navigate to Applications and Services Logs -> Microsoft -> Windows -> Windows Firewall With Advanced Security -> Firewall. By examining the events in this location, you can gain insights into the changes made to the Windows Firewall and identify any potential issues or unauthorized modifications that may have occurred.
By default, events related to the registry are not logged in the event log. However, it is possible to enable logging for these events through the Local Security Policy.
To access the Local Security Policy, you can find it in the Start menu and navigate to the Local Policies -> Audit Policy section. Within this section, you have the option to enable auditing for object access, which includes logging events for the registry, along with other resources.
Enabling this setting allows you to capture and monitor events related to the registry for better security and troubleshooting purposes.
Event logs in Windows play a critical role in monitoring, troubleshooting, and maintaining the health and security of the operating system. With different categories such as Application Log, Security Log, System Log, Setup Log, and Forwarded Events Log, event logs provide a wealth of information about system behavior, errors, warnings, and security-related events.
The best articles, links, and news delivered once a week to your inbox.