Hello everyone,
i'm undergoing an analysis involving a couple of windows systems (7 and 2008 server)
While looking at the event logs i've noticed, tho, that login events are recorded only from a certain date onwards.
I need to figure out if this may be because the audit policy for logins have been enabled on the systems only on a certain date, while earlier it was disabled.
By looking in various knowledge bases i couldn't find anything specific.
Do you know if there is any log entry or registry artifact or anything that can allow me to figure out when a specific auditing policy has been enabled/disabled on a windows system?
thanks very much for the help
The audit policy is recorded in the Security Registry hive. There are a couple of ways you can go about getting the information.
Windows 7 ships with auditpol.exe; virtualize a copy of the image that you've got, boot it, log in and run
auditpol /get /category*
RegRipper has an auditpol.pl plugin you can use, although I haven't touched it in about 3 yrs…there's been no need or request. At the very least, you can use that plugin to get the key LastWrite time to determine when the policy itself was last modified.
In my experience, the issue you're facing is most likely due to the fact that the Security Event Log fills up much more quickly than other logs. I've seen System and other Event Logs that would go back for months, and Security Event Logs that contain only a day (or two, at most) worth of records.
HTH
Hello, thank you for your quick and kind reply.
funny thing on the SECURITY registry hive is that appearently the audit is disabled
auditpol
Policy\PolAdtEv
LastWrite Time Tue Jul 14 044541 2009 (UTC)
Length of data 138 bytes.
0x00000000 00 01 00 00 09 00 00 00 78 00 00 00 01 00 00 00 ........x.......
0x00000010 03 00 00 00 03 00 01 00 01 00 01 00 00 00 01 00 ................
0x00000020 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 ................
0x00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 ................
0x00000050 01 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 ................
0x00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000070 00 00 00 00 00 00 00 00 05 00 09 00 0c 00 03 00 ................
0x00000080 04 00 06 00 06 00 04 00 04 00 ..........
**Auditing is NOT enabled.
and has never been appearently.
yet in the security.evtx log file i find lots of event id 4624 which are related to successful logins.
Maybe it's because the machine is joined to an active directory domain and the audit policy informations are enforced by the domain?
Can you verify that via the first method I mentioned? As I stated, the auditpol.pl plugin hasn't been addressed in quite a long time and may be incorrect in how the data is parsed.
will look into that when i get back to the office.
thanks )
sorry for my late reply,
i've verified the audit policies with the command you suggested.
it turns out login/logout oudit policies are enabled, but i cant figure out since when.
Likely since 14 Jul 2009.