# Windows Event Logs Each log is stored in a separate file in paths specified within registry key ``` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog ``` ## Windows XP, Windows Server 2003, and prior operating systems The default event log paths are ### Application ``` %SYSTEMROOT%\System32\Config\AppEvent.Evt ``` ### System ``` %SYSTEMROOT%\System32\Config\SysEvent.Evt ``` ### Security ``` %SYSTEMROOT%\System32\Config\SecEvent.Evt ``` ## Windows Vista and above EVT files were scrapped for a new XML-based format using the extension .evtx. The default paths were as below: ### Application ``` %SYSTEMROOT%\System32\Winevt\Logs\Application.evtx ``` ### System ``` %SYSTEMROOT%\System32\Winevt\Logs\System.evtx ``` ### Security ``` %SYSTEMROOT%\System32\Winevt\Logs\Security.evtx ``` ![An example of event log](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-M56BPaF9r7edEk2BWGy%2F-M56BRpuF0L0z8Zs2S8w%2FEvent%20log.png?generation=1587111121363120\&alt=media) #### User Name The account used to log on. #### Domain The domain associated with the user name. If the user name is a local account, this field will contain the system’s host name. #### Logon ID A unique session identifier. You can use this value as a search term or filter to find all event log entries associated with this specific logon session. #### Logon Type A code referencing the type of logon initiated by the user. The following table provides further detail on the Logon Type field and its possible values: ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-M56BPaF9r7edEk2BWGy%2F-M56BRpxk5Y0NL4Erax7%2Flogon_type.png?generation=1587111121533890\&alt=media) Here is a brief description of each type: #### Interactive The user logged on from the console (for example, from the host machine’s keyboard), via the RunAS command, or from a hardware-based remote access solution (such as KVM). #### Network The user logged on over the network. Mounting a share through the “net use” command or logging on to a web server via IIS integrated authentication are both examples of activity that would generate a Network logon. #### Batch The logon session generated by a scheduled task. #### Service The Windows service logged on using its configured credentials. #### Proxy Microsoft defines this as “a proxy-type logon.” We have yet to see this type of event in the wild, or any documentation explaining how it may be generated. ## Analysis of Logs * Collect logs from the directory /windows/system32/winevt/logs ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKayMlj1Nwl29dWhE%2Fimage.png?alt=media\&token=bd3e0b13-1997-4e91-ab09-e027d7939eb5) * Export the evtx file of interest * Analyse the event log using event viewer (e.g. Event Log Explorer) ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKhdyEPhz4ruTh6E8%2Fimage.png?alt=media\&token=311557d4-d9fd-40a7-b685-489ca9ba98bc) * Or use some Event Log parser to parse them into format that can be read in Excel format such as **EvtxECmd.exe** ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKmLtPMBzGNrdVArU%2Fimage.png?alt=media\&token=383d810f-a03f-4c51-87b5-642555a8f7fa) * Then can review in Excel or other Excel like tools (e.g. Timeline Explorer) ![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKrMHR2yT1zOSAepO%2Fimage.png?alt=media\&token=acbf433e-25b2-44f3-bc88-23562bb7e713)