VulnTech Event Logs Analysis

Windows event logs are one of the most valuable sources of information in forensic investigations. They record system activity, security events, user actions, application behavior, and network activity—providing a detailed timeline of what happened on the system. Because logs are generated automatically by the operating system and its components, they serve as reliable evidence for reconstructing events and detecting malicious activity.

This chapter explains how Windows event logs work, where they are stored, important log categories, and how to analyze them effectively.

What Are Windows Event Logs?

Windows uses the Event Tracing subsystem to record system and application activity.
These logs help administrators and forensic investigators understand:

Logins and authentication attempts
Program execution
System changes
Security policy modifications
Network connections
Errors, warnings, and crashes

Event logs are stored in .evtx format and can be parsed using Event Viewer or forensic tools.

Event Log Storage Location

Event logs are saved in:

C:\Windows\System32\winevt\Logs\

Each log file has the .evtx extension.

Examples:

Security.evtx
System.evtx
Application.evtx
Microsoft-Windows-PowerShell%4Operational.evtx

These files can be copied and analyzed offline.

Main Categories of Event Logs

1. Security Log

File: Security.evtx

This is the most important log in forensic investigations.
It records:

Successful and failed logins
Logouts
Account lockouts
Privilege escalations
Policy changes
File access (if auditing enabled)

Key event IDs include:

4624 – Successful login
4625 – Failed login
4634 – Logoff
4648 – Explicit credential use
4672 – Elevated privileges assigned
4720 – User account created
4726 – User account deleted

Security logs help track user activity, brute-force attempts, account misuse, and suspicious authentication patterns.

2. System Log

File: System.evtx

Records system-level events such as:

Driver loads
Device changes
System errors
Service starts and stops
Shutdowns and restarts

Key events:

6005 – Event log started (system boot)
6006 – Event log stopped (clean shutdown)
6008 – Unexpected shutdown
7036 – Service started/stopped

System logs help determine reboot times, system crashes, or tampering attempts.

3. Application Log

File: Application.evtx

Contains events from user-installed applications and system apps.

Useful for:

Application crashes
Software installations
Application errors
Malware execution attempts

This log varies depending on installed applications.

4. PowerShell Logs

PowerShell is heavily used by attackers.
Logs include:

Operational Log:
Microsoft-Windows-PowerShell%4Operational.evtx

Contains:

Script execution
Command-line arguments
Module loads
Errors and warnings

Key event IDs:

4100 – Script started
4103 – Command execution
4104 – Script block execution (critical for detecting attacks)

5. Windows Defender & Security Logs

Windows Defender logs malicious activity:

Microsoft-Windows-Windows Defender%4Operational.evtx

Records:

Malware detection
Quarantines
Signature updates
Suspicious behavior

Event IDs highlight detected threats and blocked actions.

6. RDP (Remote Desktop) Logs

Remote Desktop logs are vital for detecting unauthorized access.

Key logs:

Security log events: 4624, 4625, 4648
TerminalServices logs
RemoteConnectionManager logs

These logs reveal:

RDP logins
Session creation
Network connections
Failed login attempts

7. Task Scheduler Logs

Attackers often use scheduled tasks for persistence.

Logs stored in:

Microsoft-Windows-TaskScheduler%4Operational.evtx

Useful for identifying:

Suspicious tasks
Newly created tasks
Modified tasks
Scheduled malware execution

Important Event IDs for Forensic Analysis

Below are some of the most commonly used event IDs in investigations.

Authentication Events

4624 – Successful login
4625 – Failed login
4634 – Logoff
4648 – Logon using explicit credentials

Account and Privilege Events

4672 – Admin privileges assigned
4720 – User account created
4726 – User account deleted
4732 – User added to group

System Events

6008 – Unexpected shutdown
7045 – New service installed
7036 – Service started or stopped

PowerShell Events

4103 – Executed commands
4104 – Script block executed
4105 – Terminating script

RDP Events

4624 Logon Type 10 – Remote Desktop login
4778 – RDP session reconnect
4779 – RDP session disconnect

Techniques for Analyzing Event Logs

1. Correlate Logs with Other Artifacts

Combine event logs with:

Registry entries
Prefetch files
USN Journal
Browser history
LNK files

This builds a detailed timeline of activity.

2. Filter by Event IDs

Filtering saves time by focusing only on relevant events—for example, failed logins or PowerShell activity.

3. Use Forensic Tools

Tools for parsing logs include:

Event Viewer
Eric Zimmerman's EvtxEcmd
KAPE
LogParser
SIEM tools (Splunk, ELK)

These tools allow advanced filtering and timeline extraction.

4. Build a Timeline

Combining:

Security logs
System logs
Application logs
PowerShell logs

helps reconstruct sequences of user or attacker actions.

5. Look for Gaps or Log Tampering

Signs of tampering:

Unexpected log clearing events
Missing time periods
Unusual shutdown/restarts
Disabled logging services

Tampering itself is evidence of malicious activity.

Summary

Windows event logs are a central source of forensic evidence. They record everything from user logins and program execution to system errors, PowerShell commands, and remote access attempts. By understanding key logs, event IDs, storage locations, and analysis techniques, investigators can reconstruct detailed activity timelines and identify suspicious behavior or security incidents on a Windows system.