Solved

What tools are out there to modify security and event logs on Windows 2003 and Windows 2008

Posted on 2014-11-03
3
91 Views
Last Modified: 2014-12-04
Hi ,

Is it possible for someone to modify the security logs on Windows 2003 and 2008 ?
What are the tools he could use ?

thanks
0
Comment
Question by:c_hockland
  • 2
3 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40420577
Your question needs to be clarified. Are you seeking info about possible attack vectors? Some attacker trying to delete traces?

You cannot modify log files while the eventlog service is running - it won't let you. And offline attacks are quite complicated, too.

But first clarify.
0
 

Author Comment

by:c_hockland
ID: 40420971
yes , is it possible for someone to turn off the service and modify entries on the event logs ?   for example edit a user name that accessed the server ?  ( referring to possible attack vectors)
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40421137
I must confess, I have not worried about this too much.
But I found out: If you try to edit the eventlog file offline, the system declares it as corrupted (I just changed one single letter of a username) and creates a new, empty file. The old one remains with extension .corrupted.evtx
If, when online, you try to stop that service, it immediately restarts and there is no chance to exchange the file, at least not on my test machine with win8.1
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question