EVTX

location:

# NT / XP / 2000 / 2003
C:\Windows\System32\winevts\logs\*.evtx
# Vista / Win7 / Win8 / Win10 / Win11
C:\Windows\System32\winevt\Logs\*.evtx

# OR* custom set within:
HKLM\SYSTEM\CurrentControlSet\Services\EventLog

3 options when max size is reached:

overwrite (default)
Archive
do not overwrite - error message appears

Powershell EVTX filtering:

Get-WinEvent -FilterHashtable @{Logname="Security";id=4624}
Get-WinEvent -FilterHashtable @{Logname="Security";id=5140} | where {$_.Message -match "\\Admin\$"}

Log

EventID

Info

System

7034

Service crashed unexpectedly

7035

Service sent a start/stop control

7036

service started or stopped

7040

start type changed (boot | On Request | Disabled)

7045

Service was installed on the system

7045

A new service was installed on the system (look for PSEXESVC)

Defender

1116

Detected Event

1117

Quarantined Event

TaskScheduler

106

Task creation

140

Task update

141

Task Deleted

200

Task Executed

Sysmon

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

sc.exe leaves nothing in EVTX

Parse:

Event Log Explorer

Zicrolite

apt-hunter

chainsaw

Eric Zimmerman:

evtxecmd -f "e:\c\Windows\system32\winevt\logs\Security.evtx" --csv g:\Labs\event-logs --csvf security.csv
evtxecmd -f "e:\C\Windows\System32\winevt\logs\Microsoft-Windows-TaskScheduler%4Operational.evtx" --csv G:\Labs\event-logs --csvf taskscheduler.csv

Recover deleted evtx file - tool built by Willi Ballenthin EvtExtract

PreviousNTFS NextSecurity logs

Last updated 1 year ago

hashtagPowershell EVTX filtering:

hashtagParse:

Powershell EVTX filtering:

Parse: