- keywords1 - Powershell script to list all eventlog keywords and the resulting list (from Win10 Pro version 1803)
- keywords2 - Powershell script to list all event specific generated keywords and sample list (from the Win10 Pro version 1803 "Microsoft-Windows-PushNotifications-Platform" event provider)
- OpCodes - Powershell script to list all OpCodes, their Name & DisplayName for AllEvent providers, and 2 csv lists
- 'Task Categories' - Powershell script to list all Task Categories, their Name & DisplayName for AllEvent providers. Full csv list here.
-
Win 10 Microsoft-Windows-Partition/Diagnostic EventID: 1006 parser - PowerShell script to read a live or offline Microsoft-Windows-Partition/Diagnostic.evtx log and list all the EventID: 1006 entries in a window. Selected rows are saved in a comma separated file (csv). This log has 71 fields with diagnostic information for all Storage Devices (including USB and virtual drives like vhd/vhdxs or images mounted with Arsenal Image Mounter). Among them, the MBR or VBR:
VBR0 entry (size & bytes) of a USB stick:
VBR above saved & opened with Active Disk Editor
Mbr log entry (copy/pasted to HxD)
GPT Partition table entry of same drive in Active Disk Editor
-
Win 10 Microsoft-Windows-Kernel-PnP parser - PowerShell script to read a live or offline Microsoft-Windows-Kernel-PnP/Configuration.evtx log and list all the entries. Should also work from Win7 onwards.
-
Win 10 Microsoft-Windows-PowerShell parser - PowerShell script to read a live or offline Microsoft-Windows-PowerShell/Operational.evtx log and list all the entries. Should also work from Win7 onwards. Curiously, Powershell script execution is not recorded - just console startups. Only Powershell ISE script execution.
- Event ID: 40961 - PowerShell console is starting up
- Event ID: 40962 - PowerShell console is ready for user input
- Event ID: 40962 - Windows PowerShell ISE has started to run script XXX
-
Win 10 Microsoft-Windows-VolumeSnapshot-Driver parser - PowerShell script to read a live or offline Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx log and list all the entries. Should also work from Win7 onwards. (Exploring Volume Shadow (VSS) snapshots (pdf))
- Win 10 Microsoft-Windows-VHDMP-Operational parser - PowerShell script to read a live or offline Microsoft-Windows-VHDMP-Operational.evtx log and list all the entries. (Supports Event IDs: 1,2,50,51)
- Win 10 Security EventID: 4688 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4688 entries (A new process has been created) .
- Win 10 Security EventID: 4634/4747 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4624 (An account was successfully logged on), EventID: 4634 (An account was logged off) and EventID: 4647 (User initiated logoff) entries in a window.
- Win 10 Security EventID: 4634/4747 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4634 (An account was logged off) and EventID: 4647 (User initiated logoff) entries in a window. The main difference between “4647: User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
- Win 10 Security EventID: 4624 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4624 entries (An account was successfully logged on) in a window.
- Win 10 Security EventID: 4648 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4648 entries (A logon was attempted using explicit credentials) in a window.
Win 10/11 System.evtx EventIDs: 1,12,13,24,20,238 'Microsoft-Windows-Kernel (General & Boot)' parser
-
Win 10/11 System.evtx EventIDs: 1,12,13,24,20,238 parser - PowerShell script to list Windows Start-Up/Shutdown & Timechange events.
-
Win 10 Security EventID: 4616 & System EventID: 1 parser - PowerShell script to read both security.evtx and system.evtx logs from a live or offline Win 10 PC, and list all the EventID:1 and EventID: 4616 entries (The system time was changed) in a window. Selected rows are saved in a comma separated file (csv).
The script (needs to be executed from an Administrator console).
- Event Providers (type the following in a powershell prompt to see the event template):
-
"Microsoft-Windows-Kernel-General" (ID: 1)
(Get-WinEvent -ListProvider "Microsoft-Windows-Kernel-General").Events|Where-Object {$_.Id -eq 1}
- Event Reason Nr#:
1 = An application or system component changed the time
2 = System time synchronized with the hardware clock
3 = System time adjusted to the new time zone
- Event Reason Nr#:
-
Event Provider Task Descriptions:
(Get-WinEvent -Listprovider 'Microsoft-Windows-Kernel-General' -ErrorAction SilentlyContinue).Tasks
Example of the above:
-
"Microsoft-Windows-Security-Auditing" (ID: 4616)
(Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing").Events|Where-Object {$_.Id -eq 4616}
-
- Event Providers (type the following in a powershell prompt to see the event template):
- Win 10 Microsoft-Windows-Winlogon parser - PowerShell script to read a live or offline Microsoft-Windows-Winlogon/Operational.evtx log and list all the relevant entries in a window.
-
Win 10 Security EventID: 4616 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4616 entries (The system time was changed) in a window. Selected rows are saved in a comma separated file (csv).
The script (needs to be executed from an Administrator console) will parse the following information for any 4616 event ID:
-
Field Description Time Created DateTime the event was recorded EventID Record ID of the Event PID Process ID ThreadID Thread ID User Name UserName associated with the event SID Security descriptor Domain Name Domain Name New Time New Time Previous Time Previous Time Change Difference between New and Previous times Process Name The process that initiated the Time change -
tzutil /l
: List timezones -
Finding Advanced Attacks and Malware With Only 6 Windows EventID’s (pdf)
-
Windows Security Audit Events with message schema spreadsheet from Microsoft.
eof
Note: Old Windows event IDs can be converted to new event IDs by adding 4096 to the Event ID
eg: 528 (Successful Logon) + 4096 = 4624
- To Do:
- [X] [List all event log *'keywords'*](keywords.md)
- [X] [List all eventlog-generated *'keywords'*](keywords2.md)
- [X] List all [OpCodes](OpCodes.md)
- [X] List all [Task Categories](https://github.com/kacos2000/Win10/blob/master/EventLogs/Listprovider_Task_Categories.csv)
- [X] Parse EventID 4616
- [X] Parse EventID 4624/4634/4647 together
- [X] Parse EventIDs 4624/4528/4540 (Audit Logon = Success & Failure)
- [X] Parse EventIDs 4634/4647 (An account was logged off/User initiated logoff)
- [X] Parse Microsoft-Windows-Winlogon/Operational.evtx
- [X] Check / Parse EventID 4625
- [X] Check / Parse EventID 4648
- [ ] Check / Parse EventIDs 4663/4567 (Audit File System = Success, (Audit Registry = Success ))
- [ ] Check / Parse EventID 4675
- [X] Check / Parse EventID 4688 (Audit Process Creation = Success)
- [ ] Check / Parse EventID [4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)): A user account was created
- [ ] Check / Parse EventID [4726](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726)): A user account was deleted
- [ ] Check / Parse EventIDs 5140/5560 (Audit File Share = Success )
- [ ] Check / Parse EventID 5156 (Audit Filtering Platform Connection = Success)
- [ ] Check / Parse EventIDs 7045/7040
- [ ] ~~Correlate entries in EventIDs 4616, 4624, 4688 etc~~
- [X] [Parse EventLog Microsoft-Windows-PushNotification-Platform/Operational.evtx](https://github.com/kacos2000/Win10/blob/master/Notifications/wpn.ps1)
- [X] Parse Microsoft-Windows-Kernel-PnP/Configuration.evtx
- [X] Parse Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx
- [X] Parse Microsoft-Windows-VHDMP-Operational.evtx
- [X] Parse Microsoft-Windows-PowerShell/Operational.evtx
- [X] Check /Parse EventID 1006 of Microsoft-Windows-Partition/Diagnostic.evtx [(USB Device Tracking ..)](https://df-stream.com/2018/07/partition-diagnostic-event-log-and-usb-device-tracking-p2/)