Announcement

Collapse
No announcement yet.

Windows 7 Security Log Filtering

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 7 Security Log Filtering

    Hello all,

    I am hoping to get some help with the Security Filtering. I have a need to monitor when a user launches a specific program so that I can record times that it is launched and closed. The only way that it seems to be able to do this is via a custom xml query. If anyone could provide the strings I need to accomplish the task of filtering the starting and stopping of the programs, I would be greatly appreciative.

    Below are the 3 starts and stops of the programs in question.

    - <Event xmlns="removed">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="removed" />
    <EventID>4688</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13312</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-10-06T16:20:59.634016600Z" />
    <EventRecordID>7350</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="44" />
    <Channel>Security</Channel>
    <Computer>removed.removed.com</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">removed</Data>
    <Data Name="SubjectUserName">removed</Data>
    <Data Name="SubjectDomainName">removed</Data>
    <Data Name="SubjectLogonId">0x4d949</Data>
    <Data Name="NewProcessId">0x101c</Data>
    <Data Name="NewProcessName">C:\Program Files (x86)\StarCraft II\StarCraft II.exe</Data>
    <Data Name="TokenElevationType">%%1936</Data>
    <Data Name="ProcessId">0xa70</Data>
    </EventData>
    </Event>

    - <Event xmlns="removed">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="removed" />
    <EventID>4688</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13312</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-10-06T16:21:01.806503800Z" />
    <EventRecordID>7351</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="60" />
    <Channel>Security</Channel>
    <Computer>removed.removed.com</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">removed</Data>
    <Data Name="SubjectUserName">removed</Data>
    <Data Name="SubjectDomainName">removed</Data>
    <Data Name="SubjectLogonId">0x4d949</Data>
    <Data Name="NewProcessId">0x105c</Data>
    <Data Name="NewProcessName">C:\Program Files (x86)\StarCraft II\Support\SC2Switcher.exe</Data>
    <Data Name="TokenElevationType">%%1936</Data>
    <Data Name="ProcessId">0x101c</Data>
    </EventData>
    </Event>

    - <Event xmlns="removed">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="removed" />
    <EventID>4688</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13312</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-10-06T16:21:01.829766000Z" />
    <EventRecordID>7352</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="60" />
    <Channel>Security</Channel>
    <Computer>removed.removed.com</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">removed</Data>
    <Data Name="SubjectUserName">removed</Data>
    <Data Name="SubjectDomainName">removed</Data>
    <Data Name="SubjectLogonId">0x4d949</Data>
    <Data Name="NewProcessId">0x1064</Data>
    <Data Name="NewProcessName">C:\Program Files (x86)\StarCraft II\Versions\Base16605\SC2.exe</Data>
    <Data Name="TokenElevationType">%%1936</Data>
    <Data Name="ProcessId">0x105c</Data>
    </EventData>
    </Event>

    Below is the termination of each process

    - <Event xmlns="removed">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="removed" />
    <EventID>4689</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13313</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-10-06T16:21:01.869210600Z" />
    <EventRecordID>7353</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="44" />
    <Channel>Security</Channel>
    <Computer>removed.removed.com</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">removed</Data>
    <Data Name="SubjectUserName">removed</Data>
    <Data Name="SubjectDomainName">removed</Data>
    <Data Name="SubjectLogonId">0x4d949</Data>
    <Data Name="Status">0x0</Data>
    <Data Name="ProcessId">0x101c</Data>
    <Data Name="ProcessName">C:\Program Files (x86)\StarCraft II\StarCraft II.exe</Data>
    </EventData>
    </Event>

    - <Event xmlns="removed">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="removed" />
    <EventID>4689</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13313</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-10-06T16:21:04.058891600Z" />
    <EventRecordID>7356</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="60" />
    <Channel>Security</Channel>
    <Computer>removed.removed.com</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1186295277-1063208485-317593308-8169</Data>
    <Data Name="SubjectUserName">removed</Data>
    <Data Name="SubjectDomainName">removed</Data>
    <Data Name="SubjectLogonId">0x4d949</Data>
    <Data Name="Status">0x0</Data>
    <Data Name="ProcessId">0x105c</Data>
    <Data Name="ProcessName">C:\Program Files (x86)\StarCraft II\Support\SC2Switcher.exe</Data>
    </EventData>
    </Event>

    - <Event xmlns="removed">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="removed" />
    <EventID>4689</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13313</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2010-10-06T17:23:18.058382900Z" />
    <EventRecordID>7419</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="68" />
    <Channel>Security</Channel>
    <Computer>removed.removed.com</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">removed</Data>
    <Data Name="SubjectUserName">removed</Data>
    <Data Name="SubjectDomainName">removed</Data>
    <Data Name="SubjectLogonId">0x4d949</Data>
    <Data Name="Status">0x0</Data>
    <Data Name="ProcessId">0x1064</Data>
    <Data Name="ProcessName">C:\Program Files (x86)\StarCraft II\Versions\Base16605\SC2.exe</Data>
    </EventData>
    </Event>
Working...
X