Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How can i restore securty log when it cleans?

Posted on 2007-10-06
Medium Priority
Last Modified: 2012-06-27
I have important case.
An IT employee in my company recieved insult message from IT employee, the employee who sent email said he didn't sent this email and other employee reset his password and login by his account and sent the email and he didn't know any thing about this email.

I made some investigation about this case and I checked the security log file to find when the password resets and who made that, but I found the log is clear and the admin make schedule every 65k.

Can I restore the security log?Who?
Question by:al_ghamdi
LVL 10

Expert Comment

ID: 20027615
I am not aware of a way to restore the log once it has been cleared down, unless you saved the logs in an *.evt file

Expert Comment

ID: 20027735
As Kevin said, there is no way. You only options is if you have full backup of the server/worstation before the Security Log was cleared.

If this is the situation, you can restore the following folder %SystemRoot%\System32\Config  that is where the logs are stored in evt format as Kevin said.

Then from Event Viewer you will be able to go to Actions -> Open Log file and choose the restored evt to open.

LVL 26

Accepted Solution

Farhan Kazi earned 2000 total points
ID: 20027883
Greetings Al_Ghamdi,

>> I checked the security log file to find when the password resets and who made that...

Active Directory stores last password set date and time, you can query Active Directory to see what last password was set.

You can query like..
DSQuery * -Filter "(samAccountName=FKazi)" -Attr pwdLastSet

Above statement will show you result like:


Now you can covert this long time value to normal with following statement.

w32tm /ntte 128360798942895360
                                 ^---- Long time value
It will provide you output like

148565 17:44:54.2895360 - 10/5/2007 10:44:54 PM (local time)

Now you can search local system event log for all events for date 10/5/2007

Hope this helps!

Expert Comment

ID: 20238023
Forced accept.

EE Admin

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question