Solved

What tools are out there to modify security and event logs on Windows 2003 and Windows 2008

Posted on 2014-11-03
3
89 Views
Last Modified: 2014-12-04
Hi ,

Is it possible for someone to modify the security logs on Windows 2003 and 2008 ?
What are the tools he could use ?

thanks
0
Comment
Question by:c_hockland
  • 2
3 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40420577
Your question needs to be clarified. Are you seeking info about possible attack vectors? Some attacker trying to delete traces?

You cannot modify log files while the eventlog service is running - it won't let you. And offline attacks are quite complicated, too.

But first clarify.
0
 

Author Comment

by:c_hockland
ID: 40420971
yes , is it possible for someone to turn off the service and modify entries on the event logs ?   for example edit a user name that accessed the server ?  ( referring to possible attack vectors)
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40421137
I must confess, I have not worried about this too much.
But I found out: If you try to edit the eventlog file offline, the system declares it as corrupted (I just changed one single letter of a username) and creates a new, empty file. The old one remains with extension .corrupted.evtx
If, when online, you try to stop that service, it immediately restarts and there is no chance to exchange the file, at least not on my test machine with win8.1
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
OfficeMate Freezes on login or does not load after login credentials are input.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now