# Windows Event Log ## Dump Logfile Windows Event Logfiles can be dumped via ```sh evtx_dump $EVENT_LOG > event.log evtx_dump -o json $EVENT_LOG > event.log ``` ## Query Windows Events One method is to use the GUI Tool `Event Viewer`, another method is to use Powershell. Use `Win-Event` to filter categories like Security or System (same categories like in `Event Viewer`) and Event IDs throught the following line. ```sh Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl ``` ## Event IDs ### Process * **1**: Process Creation ### Files * **11**: File opened ### Account Management * **4719**: Attempt to change a policy * **4720**: User account creation * **4722**: User account enabled * **4723**: Attempt to change an account password. The user attempts to change their password * **4724**: Attempt to reset the account password. The user attempts to reset the password of another account * **4725**: Account disable * **4726**: Account removal * **4728**: Attempt to add an account to a global security group * **4729**: Attempt to remove an account from a global security group * **4756**: Attempt to add an account to a universal security group * **4757**: Attempt to remove an account from a universal security group ### Account Logon * **4624**: Successful logon * **4625**: Failed logon * **4634** and **4647**: Logoff * **4779**: Session disconnect ### Scheduled Tasks * **4698**: Scheduled task creation * **4702**: Scheduled task updated * **4699**: Scheduled task deletion ### System * **7045**: Service installation ### Security * **1100**: Logging service disabled * **1102**: Log deletion * **1116**: Malware detection * **4697**: Service installation (subsection of **7045**)