Filtering Windows' event logs properly, is it possible?

By KaoDome
in Microsoft (Windows)

 Share

Recommended Posts

Experienced

KaoDome

Posted
Posted

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

Grand Master

satukoro

Posted
Posted (edited)
On 12/10/2023 at 13:59, KaoDome said:

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

How familiar are you with Powershell? We utilize powershell to interpret the event log on our domain controllers to fire off emails to our admin team when users get created or deleted in the domain (among many many other things).

Depending on how you want to filter your event log, you could do something like this: 

get-eventlog -logname security -instanceid 4688 | where {$_.message -match 'yourmatchstring'}

Then once you have the data you want, you can either dump it into a CSV or text doc or something on your pc. If you wanted it to run when an event is generated, then parse the event that is generated for relevant information before dumping it, you can utilize the task scheduler.

 

If you give me some more information about what you're trying to parse from those events we can work on putting together the relevant powershell script + task schedule.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Posts

    • Trump's "America First" agenda made people ditch US tech for Europe, Tuta claims

      By Ringo Tanner · Posted

      Negativity or reality? Do you not think that Proton or Tuta, don't use the "privacy" angle as a marketing tool in the slightest way? I am not saying they are NOT privacy focused but that angle is out there, and everyone likes money at the end of the day. Apple used it for years but it was complete BS. I also think that if you are smart and need to have private communication between you and someone else, that you would NOT use email. Use Signal or something like that. Nothing in my personal email is worth anything, unless you want to know which games I have bought during the Steam Summer sale.
    • Trump's "America First" agenda made people ditch US tech for Europe, Tuta claims

      By RaidenX · Posted

      "America First", more like America alone.
    • James Gunn's Superman (DCU) - 2025

      By DocM · Posted

      On the other hand, the robots are practical effects - physical  humanoid robotics with character shells, the main CGI being their legs when they're moving fast. Alan Tudyk voices #4.  
    • Grab WinX DVD Ripper Platinum (normally $69.95) for free before it expires

      By News Staff · Posted

      Grab WinX DVD Ripper Platinum (normally $69.95) for free before it expires by Steven Parker Claim your full license (valued at $69.95) for free before the offer expires on July 25th, 2025. Grab your free licensed copy of WinX DVD Ripper Platinum (for Windows) or MacX DVD Ripper Pro (for macOS) and start backing up and digitizing your DVD collection today. Whether you’ve built a DVD library over the past decades or just want to preserve a few treasured discs, WinX DVD Ripper Platinum makes it easy to convert your physical DVDs into digital files — protecting them from scratches, damage, or loss. With just a few clicks, you can watch your favorite DVD movies on your smartphone, tablet, laptop, smart TV, or store them on an external drive or NAS for easy access anytime. This exclusive giveaway is available only for TradePub users! Get a free license for WinX DVD Ripper Platinum V8.22.2 (Windows) or MacX DVD Ripper Pro V6.8.2 (macOS) — no cost, no catch. Take this opportunity to preserve your movie collection and enjoy timeless classics wherever you go this holiday season. Claim your free license before July 25, 2025! Main Features: Convert DVD to MP4, ISO, FLV, AVI, MOV, MP3, TV, NAS, computer, game console, iPhone, iPad, Android, etc. Supports any DVDs, including homemade DVDs, newly released DVDs, old DVDs, 99-title DVDs, non-standard DVDs, regional DVDs, workout DVDs, movie/TV Series DVDs, damaged DVDs, badly structured DVDs, etc. 1:1 DVD backup. Copy entire DVDs to ISO or VIDEO_TS folders to create complete backups, preserving the menu, movies, extras, and all other content without any changes. Fast DVD Ripping: Supports hardware acceleration, multi-core CPUs, and hyper-threading technology for quick conversions. Ripping a 2-hour DVD to MP4 (H.264/HEVC) can be completed in as little as 5 minutes. High-Quality Output: Use "Yadif Double Frames" De-interlacing Engine and High Quality Engine to ensure the good quality of the output video/audio. Edit DVD: cut, merge, crop video, add subtitle, and adjust parameters. Download WinX DVD Ripper Platinum (worth $69.95) for free Offered by Digiarty, view other free resources The below offers are also available for free in exchange for your (work) email: Securing Microsoft Azure OpenAI ($44 Value) FREE – Expires 7/9 Data Quality in the Age of AI: Building a foundation for AI strategy and data culture ($9.99 Value) FREE – Expires 7/9 Practical Generative AI with ChatGPT: Unleash your prompt engineering potential with OpenAI technologies for productivity and creativity , Second Edition ($35.99 Value) FREE – Expires 7/16 The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer ($25 Value) FREE – Expires 7/16 Exclusive Giveaway - Get WinX DVD Ripper Platinum ($69.95 Value) FREE – Expires 7/25 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • Samsung's alternative to Android Auto may be called Auto DeX

      By MrElectrifyer · Posted

      Great to have a third contender on the market. Hopefully it'll only require permission on demand to utilize parts of its features. Not interested in giving scroogle access to my Body Sensors, Call Logs, Camera, Contacts, Microphone, SMS, and Telephone, just to navigate with Scroogle Maps in Android Auto. Those data-hungry devils demand all of the following permissions up-front to make ANY use of Android Auto (noticed while using a community-event rental vehicle), thus never using Android Auto:

  • Recent Achievements

    • Rookie
      JohnnyQ55 went up a rank
      Rookie
    • Experienced
      MulletMan69 went up a rank
      Experienced
    • Conversation Starter
      JohnnyQ55 earned a badge
      Conversation Starter
    • Week One Done
      Petarsparrow earned a badge
      Week One Done
    • First Post
      Dřívko earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      396
    2. 2
      ATLien_0
      139
    3. 3
      +FloatingFatMan
      137
    4. 4
      Xenon
      85
    5. 5
      Som
      78
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!