flat assembler
Message board for the users of flat assembler.

Index > Heap > need help to read Win XP event viewer log from DOS/LIVECD

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8975
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
ok,
i need to read this event viewer log, its boot up and log off time to determine a liar.... is there any tools for me to do a little bit forensic to clear my name.... now i only could read it hard disk, the laptop is malfunction already.

anyone know exactly the file that windows XP store its event viewer log, i just need to dump it out, print and clear my name.....


sigh.... some one (the bastard) is lying out there framing me.... shit.
Post 02 Mar 2011, 16:07
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
Quote:

%SystemRoot%\System32\Winevt\Logs\Application.evtx


Look inside that log for the two Winlogon events.
Good Luck.
Post 02 Mar 2011, 16:56
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17349
Location: In your JS exploiting you and your system
revolution
For WinXP the log folder is:

%SystemRoot%\system32\config
Post 02 Mar 2011, 20:11
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8975
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
ok, i saw the file i need (i guess)....
SysEvent.Evt

is there any tools for me to parse it out as printable text file?
i need those events that list out windows boot up and shutdown... (time)

6005 The Event log service was started.
and
6009 Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.
6009 The Event log service was stopped.

dumpel doesnt' seem to be to correct tool.... anyone? Sad
http://support.microsoft.com/kb/129266
Post 02 Mar 2011, 22:09
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack
How about opening the saved log with the event viewer on another machine ?
Or look for microsoft's Log Parser 2.2.
Post 02 Mar 2011, 22:25
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8975
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
thanks asmhack Smile

i guess i found something nice from here.

http://books.google.com.my/books?id=JAWR_T6qiRoC&pg=PA298&lpg=PA298&dq=dump+SysEvent.Evt&source=bl&ots=FNQy0AMcK3&sig=zOabW3w4cFYVKJCSzQv5_FxfHKE&hl=en&ei=nHpuTdLvII6yrAfIwdyBDw&sa=X&oi=book_result&ct=result&resnum=4&ved=0CC4Q6AEwAw#v=onepage&q=dump%20SysEvent.Evt&f=false

offline vieweing event log.

the 2nd step, use the user manager to change the forensic workstation's audit policy to log nothing at all, this will prevent forensic workstation writing to the security evidence log

~ finding way to disable audit log policy now...
Post 02 Mar 2011, 22:46
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.