More on Event Viewer described here, in the Windows, Explained post:
Event Viewer Explained - What Should You Actually Look At?
Why Event Logs Matter
Windows constantly records activity in the background. Every login, crash, update, and many security events are written to the Windows Event Log system. When something suspicious happens on a computer, these logs are often the first place investigators look.
Event logs can reveal:
- Login attempts
- System crashes and application errors
- Driver failures
- Software installations
- Security-related events
Opening Event Viewer
- Press
Windows + X
- Select
Event Viewer
- Expand
Windows Logs
The most useful categories are:
- Application - software errors
- System - driver and OS events
- Security - logins and authentication events
Important Event IDs
| Event ID |
Meaning |
| 4624 |
Successful login |
| 4625 |
Failed login attempt |
| 6005 |
Event log service started (system boot) |
| 6006 |
Event log service stopped (shutdown) |
Example:
Quick PowerShell Investigation
Run PowerShell as administrator and use this command to see recent security events:
Get-EventLog -LogName Security -Newest 20
This shows the 20 most recent security events.
Check Logins
You can also get a list of logins to quickly see what the Event Viewer also shows.
For successful logins:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 10
For failed logins:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 10
Refer to the ID table above
What Investigators Look For
- Logins at unusual times
- Repeated failed login attempts
- Unexpected system restarts
- Errors immediately before crashes
Windows logs rarely lie. If something happened on your system, there is a good chance Event Viewer recorded it.
Comments (0)
No comments yet. Be the first to comment!
Leave a Comment