How can i restore securty log when it cleans?

Posted on 2007-10-06
Last Modified: 2012-06-27
I have important case.
An IT employee in my company recieved insult message from IT employee, the employee who sent email said he didn't sent this email and other employee reset his password and login by his account and sent the email and he didn't know any thing about this email.

I made some investigation about this case and I checked the security log file to find when the password resets and who made that, but I found the log is clear and the admin make schedule every 65k.

Can I restore the security log?Who?
Question by:al_ghamdi
    LVL 10

    Expert Comment

    I am not aware of a way to restore the log once it has been cleared down, unless you saved the logs in an *.evt file
    LVL 1

    Expert Comment

    As Kevin said, there is no way. You only options is if you have full backup of the server/worstation before the Security Log was cleared.

    If this is the situation, you can restore the following folder %SystemRoot%\System32\Config  that is where the logs are stored in evt format as Kevin said.

    Then from Event Viewer you will be able to go to Actions -> Open Log file and choose the restored evt to open.

    LVL 26

    Accepted Solution

    Greetings Al_Ghamdi,

    >> I checked the security log file to find when the password resets and who made that...

    Active Directory stores last password set date and time, you can query Active Directory to see what last password was set.

    You can query like..
    DSQuery * -Filter "(samAccountName=FKazi)" -Attr pwdLastSet

    Above statement will show you result like:


    Now you can covert this long time value to normal with following statement.

    w32tm /ntte 128360798942895360
                                     ^---- Long time value
    It will provide you output like

    148565 17:44:54.2895360 - 10/5/2007 10:44:54 PM (local time)

    Now you can search local system event log for all events for date 10/5/2007

    Hope this helps!
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now