Home / server / Questions / 901060
In Process
Dai
Asked: 2018-03-11 22:47:29 +0800 CST

Is it possible to view events from all event logs (including "Applications and Services Logs") simultaneously?

  • 772

One of my clients' friends suffered a hack-attack this morning due to an insecure Remote Desktop configuration and I was asked to take a look. (All of their business files were encrypted by the 2018-Q1 strain of the Dharma ransomware).

Fortunately the Windows Event Logs were not tampered with and after looking at each log individually (Application, Security, System, etc) I was able to piece-together a timeline of the attack: indicting when and how the attacker connected to the machine, installed their malware, I saw Windows Services being stopped or crashed, and then they disconnected.

In Windows XP and earlier there were only the Application, System and Security logs to go through, but since Windows Vista there are application-specific logs located under the "Applications and Services Logs" tree-view node, and with each new Windows release there are more and more new logs to examine - unfortunately you have to go through them manually: there doesn't seem to be any kind of way of selecting data from all of those logs and then applying a date/time range filter or doing a textual search.

...or is there?

(I know you can create a custom log view in Event Viewer, but it isn't easy to add another log to the search and it's very slow, in fact the entire Event Viewer UI is painfully slow, laggy and awkward since its redesign in Windows Vista). It even advises you from creating a view that references more than 10 logs:

The filter or custom view you are creating references more than 10 event logs. The result might perform poorly and consume a large amount of memory or processor time. Do you want to continue?

In fact, when I created a view just now that referenced every Log on my computer it caused Event Viewer to lock-up and freeze and then eventually display zero items - so I guess that's just completely broken.

Is there a PowerShell command I could run to dump all events from all logs between two giving timestamps?

powershell

2 Answers

  1. You can use log2timeline to export and parse the logs of your windows envronment. With that, you will be able to search and edit some timelines of interesting events.

    By this link you will find others tools to work on yours logs files.

    • 1

  2. There's a 256 logname limit in the windows api. Either select 256 logs at a time, or do something like this in powershell as admin:

    get-winevent -listlog * | foreach-object { get-winevent -logname $_.logname } 

get-winevent -listlog * | foreach { get-winevent @{logname = $_.logname;
  starttime = '2/29' } -ea 0 } | where message -match 'whatever you want'
    • 1