|ID|Event Type|Description| |--|----------|-----------| |0|Error|An event that indicates a significant problem.| |1|Warning|An event that is not necessarily significant.| |2|Information|An event describing the successful operation of an application.| |3|Success Audit|An event that records an audited security access attempt that is successful.| |4|Failure Audit|An event that records an audited security access attempt that is failure.|
C:\Windows\System32\winevt\Logs
Microsoft > Windows > PowerShell > Operational and right click Properties in Event Viewer. Logs can be cleared as well in properties.wevtutil.exe /?
wevtutil.exe le | measure
wevtutil qe Application /c:3 /rd:true /f:text
Get-WinEvent -ListLog *
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
Get-WinEvent -ListProvider *Policy*
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
Social_engineering