event logs Archives

Winsage

February 10, 2025

5 built-in tools to use when troubleshooting Windows problems

Windows 11 is known for its stability and secure upgrade process, allowing seamless rollback to previous versions if issues occur. It includes troubleshooting tools like Event Viewer, which consolidates system event logs and helps identify causes of failures; Task Manager, which displays active applications and performance metrics; Resource Monitor, providing real-time data on resource usage; Command Prompt, enabling execution of diagnostic commands; and PowerShell, offering advanced scripting and automation capabilities. These tools assist users in diagnosing and resolving Windows-related issues effectively.

Tech Optimizer

December 16, 2024

7 GitHub Open Source You Need to See

Open-source tools are enhancing productivity and streamlining processes for developers and organizations. Notable projects include: - **Olshansk/postgres_for_everything**: Extends PostgreSQL's capabilities with resources for JSON/JSONB types, TimescaleDB for time-series data, full-text search, pgRouting for graph data, and advanced SQL analytics. - **Biggest Shell Programs in the World**: Analyzes large shell scripts and systems, including the Linux Kernel Build System, Android Build System, and Debian Packaging Tools. - **Pulumi**: An infrastructure-as-code platform that allows management of cloud infrastructure using languages like Python, JavaScript, and Go, with features like multi-cloud support and Kubernetes integration. - **yorukot/superfile**: A Python library for file operations, offering high-level methods for file handling and cross-platform compatibility. - **soci-snapshotter**: An AWS Labs project for optimizing container image management through lazy loading and snapshotting technology. - **Spark UI**: Enhances management and monitoring of Apache Spark applications with live metrics, interactive visualizations, and integration with event logs. - **LFI.dev**: A framework for developing real-time collaborative web applications with offline functionality and synchronization. - **WrenAI**: A tool for creating intelligent chatbots and virtual assistants with prebuilt NLU and NLG capabilities. - **Astro 5.0**: A framework for building content-focused websites with server-side rendering, static site generation, and improved Markdown handling. - **Outerbase Studio**: An open-source database management tool with a browser-accessible UI and compatibility with various relational databases. - **Undici**: A high-performance HTTP client for Node.js, featuring advanced connection pooling, a promise-based interface, and support for streaming requests.

Winsage

December 16, 2024

“Reinventing the Wheel: New Computing Concepts Using Windows NT Architecture and PowerShell”

The Windows NT architecture continues to support a significant portion of global IT infrastructure, with millions of installations across Windows Server, Windows 10, and Windows 11. It can be leveraged alongside modern PowerShell techniques to create next-generation computing solutions. A secure and distributed file system can be implemented using Windows NT's Distributed File System (DFS) with encryption capabilities through PowerShell scripts. This allows organizations to create a secure, fault-tolerant file-sharing mechanism. PowerShell scripts can also be used to establish a real-time health monitoring dashboard that aggregates data from event logs, system performance counters, and custom triggers, enabling system administrators to swiftly identify failures and monitor system health. Automating patch management can be achieved through PowerShell by utilizing Windows Update Services (WSUS) to streamline the detection of missing updates, apply patches, and audit systems for compliance. PowerShell can enhance identity and access management (IAM) processes by automating compliance and monitoring permissions, ensuring continuous auditing of user access rights and adherence to corporate policies.

Winsage

October 25, 2024

Windows Server 2025 Insider Preview build 26311 is now available

Microsoft has released Windows Server build 26311 for the Windows Server Insider Program, branding it as Windows Server 2025. The change log for build 26311 is similar to build 26304 and includes the Windows Defender Application Control for Business (WDAC), which enhances security by enforcing a list of authorized software. The Windows Server 2025 Security Baseline Preview allows users to apply over 350 preconfigured security settings categorized by server roles: Domain Controller, Member Server, and Workgroup Member. Known issues include incorrect labeling for the flight, problems with WinPE PowerShell scripts, intermittent upgrade failures from Windows Server 2019 or 2022, issues with archiving event logs, and installation recommendations related to Secure Launch/DRTM. Downloads are available in various formats, but may not be accessible in certain regions due to Microsoft's sales suspension in Russia. The preview is set to expire on September 15, 2025.

Winsage

October 17, 2024

Another day, another huge Windows 11 24H2 update bug, this time triggering the dreaded Blue Screen of Death

Users are experiencing system crashes and Blue Screens of Death (BSOD) linked to the Windows 11 24H2 update, particularly affecting Western Digital SSD models SN770 and SN580. Reports of increased crashes began over a week ago after the update was installed. Users have identified a common error message: "The driver detected a controller error on DeviceRaidPort1." A temporary workaround involving registry changes has been proposed by a community member, although no official response from Western Digital or Microsoft has been provided. Both companies are aware of the issue and are expected to release patches and firmware updates.

Winsage

October 12, 2024

Windows Server 2025 Insider Preview build 26304 adds Windows Defender Application Control

Microsoft has released build 26304 of Windows Server for the Windows Server Insider Program, transitioning to the Windows Server 2025 branding. The key feature introduced is Windows Defender Application Control for Business (WDAC), which enforces a strict list of approved software and includes a predefined default policy for implementation via PowerShell cmdlets. The Windows Server 2025 Security Baseline Preview is also available, featuring over 350 preconfigured settings based on Microsoft’s best practices, categorized by server roles such as Domain Controller, Member Server, and Workgroup Member. Users are advised to preview the security baseline only on test systems due to potential irreversible configurations. The new build will be automatically delivered to Server Flighting participants, and the updated Feedback Hub app is available for Server Desktop users. Known issues include mislabeling in flight references, PowerShell script malfunctions in WinPE, intermittent upgrade failures from previous Windows Server versions, potential crashes when archiving event logs, and restrictions for those with Secure Launch/DRTM code path enabled. Downloads are available in limited regions, with previews for Windows Server Long-Term Servicing Channel and Datacenter Azure Edition in various formats. The preview keys are valid only for preview builds, and the preview is set to expire on September 15, 2025.

Winsage

October 1, 2024

New Research Reveals Windows Event Logs Key to Identifying Ransomware Attacks

Recent investigations by cybersecurity experts have revealed that specific ransomware variants leave identifiable traces in Windows Event Logs, enhancing organizations' ability to detect human-operated ransomware attacks. JPCERT/CC confirmed that ransomware families such as Conti, Phobos, Midas, BadRabbit, and Bisamware exhibit unique signatures in event logs. Conti generates event IDs 10000 and 10001, Phobos leaves traces with event IDs 612, 524, and 753, Midas is marked by Event ID 7040, BadRabbit installs cscc.dat documented in Event ID 7045, and Bisamware is indicated by Event IDs 1040 and 1042. While event logs cannot prevent attacks, they are crucial for damage investigations and understanding attack methodologies. Experts recommend centralizing Event ID 7045 logs, implementing automated detection systems, and utilizing PowerShell scripts to monitor system logs for suspicious activities. Organizations should also develop comprehensive log collection systems, advanced hunting queries, and custom detection rules to improve ransomware detection capabilities.

Winsage

September 30, 2024

JPCERT shares Windows Event Log tips to detect ransomware attacks

Japan's Computer Emergency Response Center (JPCERT/CC) has identified specific Windows Event Logs that can help detect ransomware attacks. The four types of logs analyzed are Application, Security, System, and Setup logs. Notable ransomware variants and their associated event IDs include: - Conti: Detected through event IDs 10000 and 10001. - Phobos: Leaves traces when deleting system backups via event IDs 612, 524, and 753. - Midas: Alters network settings, leaving event ID 7040. - BadRabbit: Records event ID 7045 during encryption installation. - Bisamware: Logs the start (event ID 1040) and end (event ID 1042) of a Windows Installer transaction. Other ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society leave behind event IDs 13 and 10016, linked to permission issues when accessing COM applications to delete Volume Shadow Copies. JPCERT/CC notes that while older ransomware like WannaCry and Petya did not leave traces in Windows logs, modern strains do exhibit detectable patterns. In 2022, the SANS Institute published a guide on detecting ransomware using Windows Event Logs.