| Admin Tip #159: New system events in NT4 SP4 |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
This is equivalent to Event ID: 512.
This means NT was not restarted until after the screen message It is now safe to turn off your computer. Event Log Service records a clean shutdown whenever an operating system shutdown is initiated via direct user interaction using the Shut Down screen; Shutdown/Restart using Ctrl+Alt+Delete; Shutdown/ Restart using the Start Menu; or Shutdown/Restart using the Logon screen. Clean shutdowns are also recorded if one of the following shutdown events happens programmatically: InitiateSystemShutdown WIN32 API (local), or InitiateSystemShutdown WIN32 API (remote).
Event Log Service records a dirty shutdown event whenever the operating system is shut down via a mechanism other than a clean shutdown. The most common cause is when the system is power-cycled, i.e., NT is stopped by powering off the system. The event is recorded upon the subsequent system reboot. While Windows NT Server is running, the system periodically writes a time stamp to the registry, which always overwrites the "last alive" time stamp from the previous interval. When the "last alive" time stamp is written, it's also flushed to disk. A normal clean shutdown is also flagged in the registry. If the clean shutdown flag isn't found on disk when an SP4 system reboots, a dirty shutdown event is recorded. The description part of the event contains the "last alive" time stamp. The "last alive" time stamp is written to the registry at a default interval of 5 minutes to HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp. Adding the registry DWORD value TimeStampInterval can change the interval. This value is in units of minutes. Setting it to zero prevents any "last alive" time stamp logging, only the boot and normal shutdown stamps will be written in that case.
Event Log Service records a system version event containing the operating system version information whenever the system is booted. This makes it easier to post-process Windows NT system event logs by operating system version. For example, we export the security logs into sql.
ID 6009 makes a good sort key for OS. Like ID 512, it lists OS version, build number, and service-pack level. An important flag of intrusion is an event ID 577 which signals that the server's time was changed. The combination of event ID 577 with ID 512 or ID 6009 might be innocent but is a red flag that the system time was changed to make the time between shutdown and reboot to look short. Another event ID to pay close attention is security ID 612 which signals that audit categories have been changed. You must enable auditing policy change for this id to be recorded.
Prior to SP4, the recording of operating system crashes in the event log (Save Dump events) was optional. By default, crash events were recorded but a system administrator could disable this behavior in the System control panel by clearing "Write an event to the system log when a STOP error occurs" on the Startup/Shutdown tab. In SP4, the recording of crashes in the event log is mandatory for Windows NT Server and can't be disabled by an administrator. There is no change for Windows NT Workstation; an administrator can still choose either setting.
Other Event IDs:
ID 512 : System Restart
ID 517 : Security Log Cleared
Only individuals with Manage Auditing and Security Log rights can clear the security log.
ID 612 : Audit Policy Change
Event Log Tips:
Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List
Frank Heyne has made available a Windows NT Eventlog FAQ .
Book Recommendation:
|
|
|
|