# Windows Event Logs

Each log is stored in a separate file in paths specified within registry key

```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
```

## Windows XP, Windows Server 2003, and prior operating systems

The default event log paths are

### Application

```
%SYSTEMROOT%\System32\Config\AppEvent.Evt
```

### System

```
%SYSTEMROOT%\System32\Config\SysEvent.Evt
```

### Security

```
%SYSTEMROOT%\System32\Config\SecEvent.Evt
```

## Windows Vista and above

EVT files were scrapped for a new XML-based format using the extension .evtx. The default paths were as below:

### Application

```
%SYSTEMROOT%\System32\Winevt\Logs\Application.evtx
```

### System

```
%SYSTEMROOT%\System32\Winevt\Logs\System.evtx
```

### Security

```
%SYSTEMROOT%\System32\Winevt\Logs\Security.evtx
```

![An example of event log](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-M56BPaF9r7edEk2BWGy%2F-M56BRpuF0L0z8Zs2S8w%2FEvent%20log.png?generation=1587111121363120\&alt=media)

#### User Name

The account used to log on.

#### Domain

The domain associated with the user name. If the user name is a local account, this field will contain the system’s host name.

#### Logon ID

A unique session identifier. You can use this value as a search term or filter to find all event log entries associated with this specific logon session.

#### Logon Type

A code referencing the type of logon initiated by the user. The following table provides further detail on the Logon Type field and its possible values:

![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-M56BPaF9r7edEk2BWGy%2F-M56BRpxk5Y0NL4Erax7%2Flogon_type.png?generation=1587111121533890\&alt=media)

Here is a brief description of each type:

#### Interactive

The user logged on from the console (for example, from the host machine’s keyboard), via the RunAS command, or from a hardware-based remote access solution (such as KVM).

#### Network

The user logged on over the network. Mounting a share through the “net use” command or logging on to a web server via IIS integrated authentication are both examples of activity that would generate a Network logon.

#### Batch

The logon session generated by a scheduled task.

#### Service

The Windows service logged on using its configured credentials.

#### Proxy

Microsoft defines this as “a proxy-type logon.” We have yet to see this type of event in the wild, or any documentation explaining how it may be generated.

## Analysis of Logs

* Collect logs from the directory /windows/system32/winevt/logs

![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKayMlj1Nwl29dWhE%2Fimage.png?alt=media\&token=bd3e0b13-1997-4e91-ab09-e027d7939eb5)

* Export the evtx file of interest
* Analyse the event log using event viewer (e.g. Event Log Explorer)

![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKhdyEPhz4ruTh6E8%2Fimage.png?alt=media\&token=311557d4-d9fd-40a7-b685-489ca9ba98bc)

* Or use some Event Log parser to parse them into format that can be read in Excel format such as **EvtxECmd.exe**

![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKmLtPMBzGNrdVArU%2Fimage.png?alt=media\&token=383d810f-a03f-4c51-87b5-642555a8f7fa)

* Then can review in Excel or other Excel like tools (e.g. Timeline Explorer)

![](https://3899724814-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbSIGOSblVtuEjzcmhL%2F-MehKVYWtfDBrLOM2wnn%2F-MehKrMHR2yT1zOSAepO%2Fimage.png?alt=media\&token=acbf433e-25b2-44f3-bc88-23562bb7e713)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wongkenny240.gitbook.io/computerforensics/incident-response-artifacts/windows-event-logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.