offensive security
Windows Event IDs and Others for Situational Awareness
Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box:
Activity
Powershell to read event logs for the
Lock/screensaver
​
Workstation was locked
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }
Workstation was unlocked
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }
Screensaved invoked
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }
Screensaver dismissed
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }
​
​
System ON/OFF
​
Windows is starting up
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }
System uptime
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }
Windows is shutting down
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }
System has been shut down
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }
​
​
System sleep/awake
​
System entering sleep mode
Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }
System returning from sleep
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }
​
​
Logons
​
Successful logons
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }
Logons with explicit credentials
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }
Copy link