Filtering Windows' event logs properly, is it possible?

By KaoDome
in Microsoft (Windows)

 Share

Recommended Posts

Experienced

KaoDome

Posted
Posted

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

Grand Master

satukoro

Posted
Posted (edited)
  On 12/10/2023 at 17:59, KaoDome said:

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

Expand  

How familiar are you with Powershell? We utilize powershell to interpret the event log on our domain controllers to fire off emails to our admin team when users get created or deleted in the domain (among many many other things).

Depending on how you want to filter your event log, you could do something like this: 

get-eventlog -logname security -instanceid 4688 | where {$_.message -match 'yourmatchstring'}

Then once you have the data you want, you can either dump it into a CSV or text doc or something on your pc. If you wanted it to run when an event is generated, then parse the event that is generated for relevant information before dumping it, you can utilize the task scheduler.

 

If you give me some more information about what you're trying to parse from those events we can work on putting together the relevant powershell script + task schedule.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Posts

    • Turn your book ideas into passive income with Youbooks AI Book Generator

      By Steven P. · Posted

      Sorry for having to do sponsored deals in order to keep the lights on. Our Stackcommerce partner determines the deals we publish (I do not choose them myself) but I suppose what people don't see or worry about doesn't affect them. If a tiny percentage of these articles (1 Neowin Deal a day) affects you this much, then I am sorry. We're not the only news site to have to do this btw others have to as well
    • No major Siri upgrade announced at WWDC 2025 as Apple confirms delay until next year

      By Figure 8 Dash · Posted

      My guess. Much like the original Siri, Apple never intended to innovate in the AI space. I bet their whole plan was to buy some up-and-coming AI company, slap their logo on it, and make it proprietary. But they either waited too late, or couldn't find a company willing to accept their low ball offer. Now they're forced to do it but they will be kicking and screaming the whole time. IMO, they will eventually purchase a company, slap their logo on it, and use their tier 1 marketing department to leap frog the competition.
    • The best wireless controller for PC is now even more affordable

      By TarasBuria · Posted

      The best wireless controller for PC is now even more affordable by Taras Buria I recently reviewed the GameSir Super Nova wireless controller for PC and mobile devices, and I came to the conclusion that this gamepad is one of the best in the business, as long as you do not play on consoles. It is affordable, well-made, and insanely customizable. Besides, you get durable Hall Effect sticks and triggers, a dock station that works as a USB hub, and a 1000Hz polling rate. Best part? The Super Nova is now even more affordable than before, with a 25% discount on Amazon. The GameSir Super Nova is available in two colors: Blue and Pink. However, you can remove the front plate and replace it with another one, like Purple. What I like about this gamepad is that it delivers the complete package: good-quality craftsmanship, solid materials, customizable RGB lights, a solid multi-device connection, and very deep customization via the GameSir app on Windows and mobile devices. It also has a gyro that works with all supported devices, not just the Nintendo Switch. The Super Nova is a no-go only for those playing games on Xbox or PlayStation. The controller is not compatible with consoles, but other than that, this gamepad is hard to beat at just $44.99. Not only is it cheaper than the standard Xbox Wireless Controller, but it also offers fantastic value for the money and a rich feature set. GameSir Super Nova Wireless Controller for PC and mobile - $44.99 | 25% off on Amazon US This Amazon deal is US-specific and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon US deals page here. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • How to change folder colors in OneDrive

      By TarasBuria · Posted

      How to change folder colors in OneDrive by Taras Buria Microsoft's OneDrive cloud storage has plenty of useful productivity features that help you get around your file libraries. Colored folders are a relatively new feature that not every OneDrive user is aware of. While the ability to have colorful folders might seem minor at first glance, it can be very helpful for sorting stuff in your OneDrive. Microsoft says the feature lets users "personalize and manage folder colors for better content visibility." Even Apple agrees with this—iOS, iPadOS, and macOS 26 let you change folder colors in the Files/Finder app. Change folder color in OneDrive on Windows The process is very simple, but it is not the same as changing a folder icon in File Explorer. While you can change the icon of any folder in OneDrive on Windows 11 (Right Click > Properties > Customize > Change Icon), these icons do not sync across platforms. At the same time, while OneDrive folder colors do sync, the feature is not available for personal accounts in the web version of OneDrive. As for mobile devices, it is coming soon to Android and iOS OneDrive clients. Despite the current limitations, here is how to change folder colors in OneDrive on Windows: Make sure OneDrive is set up and running and sync is not paused. Find the folder whose color you want to change, and right-click it. Select OneDrive > Folder Color. Pick one of the 16 colors available and click Ok. The OneDrive app will sync your changes so that they appear across all devices that support folder colors in OneDrive. If you have a business account, you can open OneDrive for the web, right-click any folder and select Folder Color. Changes will sync across your devices right away. Do you find colored folders in OneDrive useful? Share your thoughts in the comments.
    • TB Header / JTBT1 - MSI MAG Tomahawk

      By aclarke_31 · Posted

      Awesome. That's what I was thinking Jim. Yea from what I can tell you connect the AIC card to the AIC header on the motherboard, so it doesn't just run through the PCI lanes. That's fine guys. Thanks for clarifying 🙂 I was getting a little bit lost with all of this, but I need a minimum of TB3 and the connector on the MB has it, but not on the back of my PC chassis / MB IO shield. Anyway I found that the cheapest I can get it is Amazon at 70 quid, so I'm just gonna have to fork out for it. Thanks everyone. 🙂 👍  Don't worry about Mindovermaster. He's just his chirpy cheerful self lol. Thanks everyone 🙂

  • Recent Achievements

    • Reacting Well
      rshit earned a badge
      Reacting Well
    • Reacting Well
      Alan- earned a badge
      Reacting Well
    • Week One Done
      IAMFLUXX earned a badge
      Week One Done
    • One Month Later
      Æhund earned a badge
      One Month Later
    • One Month Later
      CoolRaoul earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      535
    2. 2
      ATLien_0
      269
    3. 3
      +FloatingFatMan
      211
    4. 4
      +Edouard
      204
    5. 5
      snowy owl
      140
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!