Windows Event IDs and Others for Situational Awareness
Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box:
Activity | Powershell to read event logs for the |
Lock/screensaver | ​ |
Workstation was locked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' } |
Workstation was unlocked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' } |
Screensaved invoked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' } |
Screensaver dismissed | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' } |
​ | ​ |
System ON/OFF | ​ |
Windows is starting up | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' } |
System uptime | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' } |
Windows is shutting down | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' } |
System has been shut down | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' } |
​ | ​ |
System sleep/awake | ​ |
System entering sleep mode | Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 } |
System returning from sleep | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" } |
​ | ​ |
Logons | ​ |
Successful logons | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' } |
Logons with explicit credentials | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' } |
Account logoffs | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' } |
​ | ​ |
Access | ​ |
Outbound RDP | Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap |
Inbound RDP | Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap ​ Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } | select timecreated, message | ft -AutoSize -Wrap
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap |
Outbound WinRM | Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 } ​ Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 } |
Inbound WinRM | Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 } ​ Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'} |
​ | ​ |
Activity | ​ |
Attempt to install a service | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' } |
Scheduled task created | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' } |
Scheduled task updated | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' } |
Sysinternals usage? | Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted |
​ | ​ |
Security | ​ |
LSASS started as a protected process | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' } |
