Solved

What tools are out there to modify security and event logs on Windows 2003 and Windows 2008

Posted on 2014-11-03
3
95 Views
Last Modified: 2014-12-04
Hi ,

Is it possible for someone to modify the security logs on Windows 2003 and 2008 ?
What are the tools he could use ?

thanks
0
Comment
Question by:c_hockland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40420577
Your question needs to be clarified. Are you seeking info about possible attack vectors? Some attacker trying to delete traces?

You cannot modify log files while the eventlog service is running - it won't let you. And offline attacks are quite complicated, too.

But first clarify.
0
 

Author Comment

by:c_hockland
ID: 40420971
yes , is it possible for someone to turn off the service and modify entries on the event logs ?   for example edit a user name that accessed the server ?  ( referring to possible attack vectors)
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40421137
I must confess, I have not worried about this too much.
But I found out: If you try to edit the eventlog file offline, the system declares it as corrupted (I just changed one single letter of a username) and creates a new, empty file. The old one remains with extension .corrupted.evtx
If, when online, you try to stop that service, it immediately restarts and there is no chance to exchange the file, at least not on my test machine with win8.1
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question