Friday, February 17, 2012

Using custom XML to search Windows Event Viewer

So nobody likes going through Windows event viewer. The latest version in server 2008 takes ages to load and filtering isn't fun. So I thought I would go through a few ways to customise the XML used to search it.

So you'll probably start with the XML looking like this 

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">*</Select>
  </Query>
</QueryList>

You can edit the contents of the select element  to include something from the list below.

  1. SubjectUserSid
  2. SubjectUserName
  3. SubjectDomainName
  4. SubjectLogonId
  5. TargetUserSid
  6. TargetUserName
  7. TargetDomainName
  8. TargetLogonId
  9. LogonType
  10. LogonProcessName
  11. AuthenticationPackageName
  12. WorkstationName
  13. LogonGuid
  14. TransmittedServices
  15. LmPackageName
  16. KeyLength
  17. ProcessId
  18. ProcessName
  19. IpAddress
  20. IpPort
As an example - *[EventData[Data[@Name='YOUROPTION']and(Data='YOURVALUE')]
After the asterix in the above example you can change it to look like this

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">
      *[EventData[Data[@Name='IpAddress'] and(Data='127.0.0.1')]]
    </Select>
  </Query>
</QueryList>
This will search all the logs for that specific IP Address.

You can even specify the Event ID

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">      *[System[(EventID="4771")]] and *[EventData[Data and  (Data="username")]]
   </Select>
  </Query>
</QueryList>
The Above code will search for that specific event AND one that includes the name USERNAME.
Posted by at No comments:
Labels:

Thursday, February 09, 2012

Opening a Command Prompt in the Current Folder

If your anything like me you'll hate having to browse to a specific folder, sometimes 5 folders deep, in a command prompt. Thankfully Microsoft have made it possible in Vista and Windows 7 to open a command prompt in a windows folder.

You just browse to the folder as you normally would in Windows, then holding SHIFT you right click in the folder and you'll see 'Open Command Windows Here' in the list. Choose this option and a command prompt will open with is directory in this folder. Wonderful!

If you want to do this in Windows XP you'll need to do a few things first.
  1. In explorer, open Tools, Folder Options.
  2. Select the File Types tab.
  3. For Windows XP: Go to (NONE)      Folder.
  4. For Windows 2000: Press n to scroll to the N/A section.
  5. For Windows NT/98/95: Press f to scroll to the Folders section.
  6. Select the entry labeled Folder
  7. For Windows 2000/XP: Press Advanced button.
  8. For Windows NT/98/95: Press Edit button.
  9. Select New
  10. In the action block type "Command Prompt" without the quotes.
  11. In the app block type "cmd.exe" without the quotes.
  12. Save and exit Folder Options
Easy!
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)