The Windows Security Log Revealed

Chapter 12
System Events

The System category and its subcategories provide an eclectic mix of events that are relevant to security. For example, Windows logs event ID 4608 when the system starts up.

System Subcategories

Comment

Security State Change

Startup, Shutdown and time change

Security System Extension

Includes new services and authentication packages

Security Integrity Events

Major hash and encrypt events

IPsec Driver Events

Track failure of IPsec system

Other System Events

Track failure of Windows firewall service

Security State Change

Events in the Security State Change subcategory track keys system changes, such as system clock changes and the startup and shutdown of the system. These events are important because a Windows system is completely vulnerable while shut down—at the mercy of anyone who has physical access and the proper skill. Every event uses the system time, so a change in system time could obscure or hide malicious actions or cause authentication problems (Kerberos depends on a synchronization of time between other systems).

Event ID

Title

4608

Windows is starting up

4609

Windows is shutting down

4616

The system time was changed

Security System Extension

The Windows security infrastructure supports extensibility through various types of plug-ins, and the Security System Extension subcategory logs all activity of such plug-ins. The Windows security infrastructure is designed to be modular and to facilitate new, plug-in security functionality from Microsoft and third-party vendors. These plug-ins can be authentication packages, trusted logon processes, or notification packages. Because the plug-ins are completely trusted modules of code that augment the operating system, Windows logs each plug-in as it loads, using the events in this subcategory.

Event ID

Title

4610

An authentication package has been loaded by the Local Security Authority

4611

A trusted logon process has been registered with the Local Security Authority

4614

A notification package has been loaded by the Security Account Manager

4622

A security package has been loaded by the Local Security Authority

4697

A service was installed in the system

When a service is installed on the system, event ID 4697 is generated. Note that in Windows Server 2003, Detailed Tracking event ID 601 logged this activity. The change control event is important because new services are significant extensions of the software that runs on a server and the roles that software performs.

The Subject section of this event shows the user who installed the new service. However, for services that are installed as part of native Windows components, the Subject section often identifies the local system (SYSTEM); therefore, you can't determine who actually initiated the installation.

The Service Name field in this event indicates the internal system name of the new service. Use the sc query command to get a cross-reference of service names and their more familiar display names. The Service File Name field indicates the executable that was used to start the service. The Service Type value identifies which service type was installed on the system.

Service Type

System Name of Service Type

Description

0x4

SERVICE_ADAPTER

Reserved

0x2

SERVICE_FILE_SYSTEM_DRIVER

File system driver service

0x1

SERVICE_KERNEL_DRIVER

Driver service

0x8

SERVICE_RECOGNIZER_DRIVER

Reserved

0x10

SERVICE_WIN32_OWN_PROCESS

Service that runs in its own process

0x20

SERVICE_WIN32_SHARE_PROCESS

Service that shares a process with one or more other services

0x110

SERVICE_INTERACTIVE_PROCESS
SERVICE_WIN32_OWN_PROCESS

Same as 0x10 but allowed to interact with desktop

0x120

SERVICE_INTERACTIVE_PROCESS
SERVICE_WIN32_SHARE_PROCESS

Same as 0x20 but allowed to interact with desktop

The Service Start Type value defines whether the service starts automatically when the computer starts and during which phase of system startup the service starts.

Start Type

Description

2

SERVICE_AUTO_START

A service started automatically by the service control manager during system startup

0

SERVICE_BOOT_START

A device driver started by the system loader. This value is valid only for driver services

3

SERVICE_DEMAND_START

Manual startup

4

SERVICE_DISABLED

Disabled service

1

SERVICE_SYSTEM_START

A device driver started by the IoInitSystem function. This value is valid only for driver services

The Service Account field indicates under which account the service runs.

Although this event monitors only new services, you can use the Object Access category to audit existing service-related events such as starts, stops, and modifications by. To enable auditing on a service, you can use a Security Template or the SubInACL tool. (You can download SubInACL from Microsoft.)

Security Integrity Events

The Security Integrity Events subcategory logs at least three events that can affect the overall integrity of the system.

Event ID

Title

5038

Code integrity determined that the image hash of a file is not valid.

5056

A cryptographic self test was performed.

5061

Cryptographic operation.

Event ID 5038 lists the path and file name of the image in question. This could mean that the hash was corrupted either intentionally or a possible Input/Output error in the system.

Event ID 5056 and 5061 seem to be part of normal operation of the system. Auditing may be needed for compliance purposes.

IPsec Driver Events

The IPsec Driver Events subcategory tracks activity that relates to the operation of the IPsec system service. If the IPsec Services fail to start or shut down, the security risk is increased so it’s a good idea to track these events. For events that relate to IPsec network traffic, see the IPsec subcategories (discussed in Chapter 5).

Event ID

Title

5478

IPsec Services has started successfully

5479

IPsec Services has been shut down successfully

5480

IPsec Services failed to get the complete list of network interfaces on the computer

5483

IPsec Services failed to initialize RPC server. IPsec Services could not be started

5484

IPsec Services has experienced a critical failure and has been shut down

5485

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces

Other System Events

The events in the Other System Events subcategory are a hodgepodge dominated by Windows Firewall system service activity, which would seem to belong elsewhere. As with all subcategories, you must use Auditpol to enable or disable these events.

Event ID

Title

4615

Invalid use of LPC port

5024

The Windows Firewall Service has started successfully

5025

The Windows Firewall Service has been stopped

5027

The Windows Firewall Service was unable to retrieve the security policy from the local storage

5028

The Windows Firewall Service was unable to parse the new security policy

5029

The Windows Firewall Service failed to initialize the driver

5030

The Windows Firewall Service failed to start

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network

5033

The Windows Firewall Driver has started successfully

5034

The Windows Firewall Driver has been stopped

5035

The Windows Firewall Driver failed to start

5037

The Windows Firewall Driver detected critical runtime error. Terminating.

5058

Key file operation

5059

Key migration operation

Bottom Line

It’s worth enabling the System category so that you have an audit trail of system restarts, new services, and the failure of some critical operations. Enabling the Audit system events policy does not create an undue amount of noise.

Next Chapter

Back to top

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

 

Upcoming Webinars
    Additional Resources