最後更新: 2019-05-15

 

目錄

• Event Log Service
• UI Command
• Non-Admin access Event Log
• Tools - PsGetSid
• Clear Cluster Event Log
• Log Info - Login
• Log Info - Reboot
• MMC can't open services.msc / eventvwr.msc

 

---

Event Log Service

 

# Checking

sc query eventlog

ERVICE_NAME: eventlog
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

 

---

UI Command

 

eventvwr.exe

 

---

Non-Admin access Event Log

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

The CustomSD value is in SDDL format, as shown below:

O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0×5;;;BA)(A;; 0×7;;;SO)(A;; 0×3;;;IU)(A;;0×2;;;BA)(A;; 0×2;;;LS)(A;; 0×2;;;NS) 

So, find the SID of the user or group you want to be given read access to the log.

Navigate to the CustomSD value for that log and append the value with the following: (A;; 0×1;;;SID)

Note that there are three distinct rights that pertain to event logs:

Read, Write, and Clear.

These rights correspond to the following bits in the access rights field of the ACE string:

1= Read 2 = Write 4 = Clear

So, for your user to have read access, use 0×1 in the string.

For read and write access, use 0×3, for read/write/clear access use 0×7 etc.

 

---

Tools - PsGetSid

 

Tanslate SIDs to their display name

Download

https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid

 

---

Clear Event Log File

 

# With Server 2008/Vista and up log file location

%SystemRoot%\system32\winevt\logs

log file: *.evtx

Step 1

Stop eventlog service

sc query eventlog

設定它下次開機後"停用"

Step 2

reboot

Step 3

%SystemRoot%\system32\winevt\Logs\

Step 4

Start eventlog service

 

---

Log Info - Login

 

S08R2 的 login log 出現次序

1. 4776 - 電腦嘗試驗證帳戶的認證
    - 驗證封裝
    - 登入帳戶
2. 4648 - 使用明確宣告的認證嘗試登入
3. 4624 - 帳戶成功登入
   由 Winlogon.exe 或 Services.exe 發動, log 有對方 IP
4. 4672 - 特殊權限已指派給新登入

 

4624: An account was successfully logged on

TargetUserName: ???
WorkstationName: ???

Logon Type

2    Interactive (logon at keyboard and screen of system)
3    Network (i.e. connection to shared folder on this computer from elsewhere on network)
5    Service (Service startup)
8    NetworkCleartext (i.e. IIS with "basic authentication")
7    Unlock (i.e. unnattended workstation with password protected screen saver)
10    RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11    CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

4634: An account was successfully logged off

 Security ID:  %1
 Account Name:  %2
 Account Domain:  %3
 Logon ID:  %4
 Logon Type:   %5

ANONYMOUS LOGONs are routine events on Windows networks.

4648:

A logon was attempted using explicit credentials

4672:

Special privileges assigned to new logon

This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on.

4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.  
 

 

---

Log Info - Reboot

 

By cmd

systeminfo | find "Time:"

System Boot Time:          4/26/2016, 4:16:06 AM

By event id

12

Source: Kernel-General

The operating system started at system time ‎2019‎-‎05‎-‎15T19:29:55.125599400Z.

13

Source: Kernel-General

The operating system is shutting down at system time ‎2019‎-‎05‎-‎15T19:29:33.513912000Z.

跡象: Event log service

6005 - The Event log service was started.

6006 - The Event log service was stopped.

1074 - Windows updates

Source: USER32

Shutdown Type: restart

The process C:\Windows\system32\svchost.exe (HOSTNAME) has initiated the restart of computer HOST1

on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Recovery (Planned)

1076 - Unexpected shutdown

6009 - Multiprocessor Free.

6013 - The system uptime is 13 seconds.

 

---

唔正常 reboot

 

Windows Logs > System

log 的次序

Source: Kernel-General
ID: 12
Level: Information    
The operating system started at system time ‎2022‎-‎06‎-‎29T04:41:34.595198400Z.

Source: System
ID: 6008
Level: Error
The previous system shutdown at 12:38:21 PM on ‎6/‎29/‎2022 was unexpected.

Source: EventLog
ID: 6005
Level: Information
The Event log service was started.

Source: EventLog
ID: 6013
Level: Information
The system uptime is 14 seconds.

Source: Kernel-Power
ID: 41
Level: Critical

The system has rebooted without cleanly shutting down first.
This error could be caused if the system stopped responding,
crashed, or lost power unexpectedly.

 

---

MMC can't open services.msc / eventvwr.msc

 

[Fix]

mmc.exe, go to File->Options->Disk Cleanup->Delete Files

 

---