Event Viewer Custom Views

Custom Views for Microsoft Windows Event Viewer

Table of Content

• Background
• How to Use
• Custom Views
  • Account Authentication
  • Administrator Logon (Failed)
  • Administrator Logon (Successful)
  • Legacy Kerberos Ticket Encryption Types
  • Logon (Failed)
  • Logon (Successful)
  • NTLMv1 Authentications
  • Security Group Membership
  • Security Group Membership
  • Security Group Membership
  • Service Creation
  • Service Creation Error
  • User Creation

Background

I often find myself using the Microsoft Event Viewer when gathering information related to hardening tasks in Windows Environments, troubleshooting or gathering data when doing forensic work. There's many ressources online for ie. XML filters when filtering in the EventLogs, these are often used together with the Custom Views in the Event Viewer. So I started gathering these filters, and created these templates, so I quickly can download the XML-file and use the builtin Import Custom View... feature inside the Microsoft Event Viewer.

How to Use

Find the Custom View in the list, download it to the computer, or copy the content to Notepad and save the file as an .xml, then open Event Viewer, right click on the Custom Views in the top left pane, and select Import Custom View...

Can also be used with the EventFromCustomView PowerShell Module

Custom Views

Account Authentication

• Successful and Failed Account Authentication
  
  • XMLFile: 00D111.xml

Administrator Logon (Failed)

• Failed Administrator Account Logons
  
  • XMLFile: 01D97C.xml

Administrator Logon (Successful)

• Successful Administrator Account Logons
  
  • XMLFile: 42F217.xml

Legacy Kerberos Ticket Encryption Types

• Legacy Kerberos Ticket Encryption Types: DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC, RC4-HMAC-EXP
  
  • XMLFile: 049517.xml

Logon (Failed)

• Failed Account Logons
  
  • XMLFile: F222E4.xml

Logon (Successful)

• Successful Account Logons
  
  • XMLFile: 380759.xml

NTLMv1 Authentications

• NTLMv1 (Windows New Technology LAN Manager) Authentications
  
  • XMLFile: 0226D5.xml

Security Group Membership

• Member added to Security Group (Local Group)
  
  • XMLFile: 86F11C.xml

Security Group Membership

• Member added to Security Group (Universal Group)
  
  • XMLFile: BA131A.xml

Security Group Membership

• Member added to Security Group (Global Group)
  
  • XMLFile: C86A1B.xml

Service Creation

• Service Creation
  
  • XMLFile: A82979.xml

Service Creation Error

• Service Creation Errors
  
  • XMLFile: A57B21.xml

User Creation

• User Creation
  
  • XMLFile: 0495E8.xml