HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Articles > Windows log files
Go to: HSC Trainings
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|Windows log files  
> Access to the content HTML Beginning of the article  
> Description Windows systems log files overview  
> Context & Dates Internal study.
Initial version June 2005.  
> Author Jean-Baptiste Marchand 
> Type  
> Abstract &
Table of content
 
> Related documents
themeWindows
[Course]  Windows Security
[Course]  Securing Windows - SANS SEC505
[Presentation]  Extract authentication data from Windows memory [29 May 2013 - French]
[Presentation]  Extract authentication data from Windows memory [4 April 2013 - French]
[Presentation]  Skyrack, rop for masses [17 June 2011 - English]
[Presentation]  Dumping Windows password hashes [10 May 2011 - French]
[Tool]  SSToPer tool [A Linux implementation for SSTP client - English]
[Presentation]  Rainbow Tables and accents characters on Windows [31 May 2007 - French]
[Presentation]  Workstation Security [29 March 2007 - French]
[Tip]  Presentation of Alternates Data Stream (ADS) of NTFS [28 October 2005 - French]
[Presentation]  MSRPC NULL sessions - exploitation and protection [29 June 2005 - English]
[Tip]  Windows remote administration tools overview [15 June 2005 - English]
[Presentation]  Active Directory network protocols and traffic [4 May 2005 - English]
[Tip]  Minimizing Windows Server 2003 network services [6 April 2005 - English]
[Presentation]  Running with least privilege on Windows systems [7 February 2005 - French]
[Presentation]  SSLtunnel for Windows [22 September 2004 - French]
[Presentation]  Active Directory network protocols and traffic [13 September 2004 - French]
[Presentation]  Windows network services [13 January 2004 - French]
[Presentation]  Windows network services internals - HiverCon 03 [6 November 2003 - English]
[Article]  Windows network services internals [22 October 2003 - English]
[Presentation]  Windows network services for Samba folks [14 April 2003 - English]
[Article]  Security model of Windows systems [14 October 2002 - French]
[Tip]  Minimization of network services on Windows systems [2 September 2002 - English]
[Article]  Windows systems network services - Case study with Windows 2000 and Windows XP [6 June 2002 - French]
[Tip]  Minimizing network services on Windows systems [3 June 2002 - French]
[Tip]  Remote administration of Windows systems (Part 2) - rpcclient [18 February 2002 - French]
[Tip]  Remote administration of Windows systems (Part 1) - SSH [19 November 2001 - French]
[Presentation]  IP filtering and IPsec in Windows 2000 [7 September 2001 - French]
[Presentation]  Microsoft & Security: Beware Danger [13 March 2001 - French]
[Presentation]  Windows NT network flows [24 September 1998 - French]
[Article]  NT4 registers related to security [April 1998 - French]
[Article]  Windows systems network services - Case study with Windows 2000 and Windows XP [6 June 2002 - French]
[Article]  Windows network services internals [22 October 2003 - English]
> Copyright © 2005, Hervé Schauer Consultants, all rights reserved.

  Windows log files

Windows log files

Jean-Baptiste Marchand

Hervé Schauer Consultants
Revision History
June 2005
Initial version.

1. Windows services

1.1. Task Scheduler service

The Task Scheduler service uses a log file, SchedLgU.txt. The location of this file is specified in the LogPath registry value:

Key: HKLM\SOFTWARE\Microsoft\SchedulingAgent
Value: LogPath (REG_SZ)
Default value: %SystemRoot%\SchedLgU.txt (W2K, WXP), %SystemRoot\Tasks\SchedLgU.txt (W2K3)

Table 1. Task Scheduler service

FilenameService or programWindows versionDescription
%systemroot%\SchedLgU.txtTask Scheduler serviceW2K, WXPLogfile of running scheduled jobs
%systemroot%\tasks\SchedLgU.txtTask Scheduler serviceW2K3Logfile of running scheduled jobs

1.2. IPSEC Services / IPSEC Policy Agent service

The PolicyAgent service supports logging in a file named oakley.log, empty by default. To enable logging, the following registry value must be set to 1:

Key: HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Value: EnableLogging (REG_DWORD)

The IPSEC Services services (Windows 2000) also recognizes the following registry value, which, when set to 1, supports additional logging in a ipsecpa.log file:

Key: HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
Value: Debug (REG_DWORD)

Table 2. IPSEC Services / IPSEC Policy Agent service

FilenameService or programWindows versionDescription
%systemroot%\Debug\oakley.logIPSec Services serviceW2K, WXP, W2K3Log of the IPSec Services service
%systemroot%\Debug\ipsecpa.logIPSEC Policy Agent serviceW2KLog of the IPSEC Policy Agent service

1.3. DNS Client service

The DNS Client service does not log by default. However, if a file named %systemroot%\system32\dnsrslvr.log is manually created, this file is used by the service to log debug information:

C:\WINDOWS\system32\>echo "" > dnsrslvr.log

In Windows XP and Windows Server 2003, NTFS write permissions for the NETWORK SERVICE SID must be explictly given:

C:\WINDOWS\system32\>cacls dnsrslvr.log /E /G "NETWORK SERVICE":W

Table 3. DNS Client service

FilenameService or programWindows versionDescription
%systemroot%\system32\dnsrslvr.logDnscache serviceW2K, WXP, W2K3DnsCache service debug log

1.4. DHCP Client service

A file named %systemroot%\system32\asyncreg.log can be manually created to enable logging of dnsapi functions:

C:\WINDOWS\system32\>echo "" > asyncreg.log

In Windows XP and Windows Server 2003, NTFS write permissions for the NETWORK SERVICE SID must be explictly given:

C:\WINDOWS\system32\>cacls asyncreg.log /E /G "NETWORK SERVICE":W

Table 4. DHCP Client service

FilenameService or programWindows versionDescription
%systemroot%\system32\asyncreg.logDhcp Client serviceW2K, WXP, W2K3Dhcp Client service debug log

1.5. Windows Time service

As documented in the #816043 Microsoft knowledge base article, the Windows Time service supports logging in a text file. The FileLogName registry value must be explictly added:

Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: FileLogName (REG_SZ)

Table 5. Windows Time service

FilenameService or programWindows versionDescription
W32time.log (user-configurable filename)Windows Time serviceW2K, WXP, W2K3Windows Time service debug log

1.6. Cluster service

Table 6. Cluster service

FilenameService or programWindows versionDescription
%systemroot%\Cluster\cluster.log
%systemroot%\system32\LogFiles\Cluster\clcfgsrv.log
%systemroot%\system32\LogFiles\Cluster\clusocm.log
%systemroot%\system32\LogFiles\Cluster\cluscomp.log
Cluster Service serviceW2K3Cluster Service service log files
%systemroot%\clusocm.logCluster optional componentW2KCluster optional component log

1.7. Windows Image Acquisition (WIA) service

Table 7. Windows Image Acquisition (WIA) service

FilenameService or programWindows versionDescription
%systemroot%\wiadebug.log
%systemroot\Sti_Trace.log
%systemroot%\wiaservc.log
Windows Image Acquisition (WIA) serviceWXPWIA service error log

2. Windows setup

Table 8. Windows setup

FilenameService or programWindows versionDescription
%systemroot%\setupact.logWindows setupW2K, WXP, W2K3Windows installation log
%systemroot%\setuperr.logWindows setupW2K, WXP, W2K3Windows Installation errors log
%systemroot%\repair\setup.logWindows setupW2K, WXP, W2K3Windows Installation log
%systemroot%\setupapi.logWindows setupW2K, WXP, W2K3.inf files installation log
%systemroot%\updspapi.logupdate.exeW2K, WXP, W2K3.inf files installation log
%systemroot%\comsetup.logCOM+W2K, WXP, W2K3COM+ setup log
%systemroot%\Debug\NetSetup.logWindowsW2K, WXP, W2K3Windows domain configuration change log
%systemroot%\Debug\Configure Your Server.log
%systemroot%\Debug\cysui.log
%systemroot%\Debug\cysui.XXX.log
Configure Your Server wizardW2K3Log of administrative actions realized using the Configure Your Server wizard
%systemroot%\Wsdu.logUnattended installationWXP, W2K3Dynamic update log

3. Software updates

Table 9. Software updates

FilenameService or programWindows versionDescription
%systemroot%\Windows Update.logWindows UpdateW2K, WXP, W2K3Detailed list of software update managed by Windows Update
%systemroot%\WindowsUpdate.logAutomatic Updates serviceWXP, W2K3 
%systemroot%\svcpack.logupdate.exeW2K, WXP, W2K3Service Pack installation log
%systemroot%\spuninst.logupdate.exeW2K, WXP, W2K3Service Pack installation log
%systemroot%\KBXXXXXX.logupdate.exeW2K, WXP, W2K3Software update installation log
%systemroot%\KBXXXXXXUninst.logupdate.exeW2K, WXP, W2K3Software update uninstallation log
%systemroot%\UpdateRollupPackage.logupdate.exeW2K, WXP, W2K3Update Rollup Package installation log
%systemroot%\spslprm.logupdate.exeW2K, WXP, W2K3Software update slipstreaming log
%systemroot%\cabbuild.logupdate.exeW2K, WXP, W2K3Software update log
%systemroot%\spupdsvc.logspupdsvc.exeW2K, WXP, W2K3Software update log
%systemroot%\system32\spupdsvc.logspupdsvc.exeW2KSoftware update log
%systemroot%\system32\spupdw2k.logspupdsvc.exeW2KSoftware update log
%systemroot%\Xpsp1hfm.logupdate.exeWXPWindows XP pre-SP1 hotfixes log
%systemroot%\system32\CatRoot2\dberr.txtCatalog file registrationsWXP, W2K3Catalog file registrations log

4. Active Directory domain controllers

4.1. Domain Controller promotion (dcpromo.exe)

The dcpromo.exe program is used to promote or demote an Active Directory domain controller. When dcpromo is used, log files are generated.

Table 10. Domain Controller promotion

FilenameService or programWindows versionDescription
%systemroot%\Debug\DCPROMO.LOG
%systemroot%\Debug\dcpromoui.log
%systemroot%\Debug\dcpromoui.XXX.log
dcpromo.exeW2K, W2K3dcpromo.exe log
%systemroot%\Debug\dcpromohelp.logdcphelp.exeW2K, W2K3dcphelp.exe log
%systemroot%\Debug\csv.logcsvde.exeW2K, W2K3csvde.exe log

4.2. Security Account Manager (SAM)

When the SamLogLevel registry value is present and set to 1, the SAM creates a sam.log file:

Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Value: SamLogLevel (REG_DWORD)

The sam.log file is used to log account lockout related events.

Table 11. Security Account Manager

FilenameService or programWindows versionDescription
%systemroot%\debug\sam.logSAMWXP, W2K3SAM log file

4.3. Local Security Authority (LSA)

In Windows Server 2003, both the Kerberos authentication package and KDC service can be configured to log debug information, in a file named lsass.log.

To enabled logging in a file, the LogToFile registry value must be set to 1:

Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value: LogToFile (REG_DWORD)
Content: 1 (to enable logging)

Then, the KerbDebugLevel registry value must be added and configured to specify what kind of Kerberos events must be logged:

Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value: KerbDebugLevel (REG_DWORD)

The following list gives the common debug values that must be used to build a binary mask specified in KerbDebugLevel:

Errors: 0x00000001
Warnings: 0x00000002
Tracing: 0x00000004
API tracing: 0x00000008
Credential related tracing: 0x00000010
Security Context tracing: 0x00000020
Logon Session tracing: 0x00000040
Logon tracing: 0x00000100
KDC tracing: 0x00000200
Detailed Security Context tracing: 0x00000400
Time related tracing: 0x00000800
User related tracing: 0x00001000
Leak related tracing: 0x00002000
WinSock related tracing: 0x00004000
SPN cache tracing: 0x00008000
S4U Errors: 0x00010000
S4U tracing: 0x00020000
Loopback tracing: 0x00080000
Ticket renewal tracing: 0x00100000
User to User tracing: 0x00200000
Locks tracing: 0x01000000

In the Troubleshooting Kerberos errors document, Microsoft recommends to set the KerbDebugLevel value to 0xc0000043 for typical debugging work.

In Windows Server 2003, the KDC service can also be configured to log debugging information, by adding the KdcDebugLevel registry value:

Key: HKLM\SYSTEM\CurrentControlSet\Services\Kdc
Value: KdcDebugLevel (REG_DWORD)

The common debug values for KdcDebugLevel are:
Errors: 0x00000001
Warnings: 0x00000002
Tracing: 0x00000004
API tracing: 0x00000008
Credential related tracing: 0x00000010
Security Context tracing: 0x00000020
Logon Session tracing: 0x00000040
Logon tracing: 0x00000100
KDC tracing: 0x00000200
Detailed Security Context tracing: 0x00000400
Time related tracing: 0x00000800
User related tracing: 0x00001000
Leak related tracing: 0x00002000
WinSock related tracing: 0x00004000
SPN cache tracing: 0x00008000
S4U Errors: 0x00010000
S4U tracing: 0x00020000
Loopback tracing: 0x00080000
Ticket renewal tracing: 0x00100000
User to User tracing: 0x00200000
Locks tracing: 0x01000000
Use Extended Errors: 0x10000000

The KdcExtraLogLevel registry value can be added for extra KDC logging:

Key: HKLM\SYSTEM\CurrentControlSet\Services\Kdc
Value: KdcExtraLogLevel (REG_DWORD)
Default value: 0x2

The following extra log levels are defined:

Audit SPN unknown errors: 0x1
Log detailed PKINIT1 errors: 0x2
Log all KDC errors with KLIN information: 0x4

Table 12. Local Security Authority

FilenameService or programWindows versionDescription
%systemroot%\system32\lsass.logLSAW2K3Kerberos authentication package debugging
%systemroot%\system32\lsass.logKDC serviceW2K3KDC service debugging

4.4. Netlogon

The Netlogon service can be configured to log debugging information to a log file, named netlogon.log.

As documented in the #109626, the DbFlag registry value can be added and set to a binary mask (typically, 0x2080FFFF for Windows 2000 and Windows Server 2003):

Key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value: DbFlag (REG_DWORD)

Table 13. Netlogon

FilenameService or programWindows versionDescription
%systemroot%\Debug\Netlogon.logNetlogon serviceW2K, W2K3Netlogon service debug log

4.5. File Replication Service

Table 14. File Replication Service

FilenameService or programWindows versionDescription
%systemroot%\Debug\NtFrsApi.logFile Replication Service serviceW2K, W2K3File Replication Service events during promotion and demotion
%systemroot%\Debug\NtFrs_xxxx.logFile Replication Service serviceW2K, W2K3File Replication Service log

5. Group Policy

Table 15. Group Policy

FilenameService or programWindows versionDescription
%systemroot%\Debug\UserMode\gpedit.logGroup Policy Object EditorW2K, WXP, W2K3Group Policy Object Editor (Core-specific entries)
%systemroot%\Debug\UserMode\gptext.logGroup Policy Object EditorW2K, WXP, W2K3Group Policy Object Editor (CSE-specific entries)
%systemroot%\security\logs\winlogon.logGroup PolicyW2K, WXP, W2K3Group Policy Security CSE log
%systemroot%\debug\usermode\fdeploy.logGroup PolicyW2K, WXP, W2K3Group Policy Folder Redirection CSE log
%systemroot%\debug\usermode\appmgmt.logGroup PolicyW2K, WXP, W2K3Software Installation CSE log
%systemroot%\security\logs\scepol.logSecurity Configuration EngineW2K, WXP, W2K3LSA API log used by GPO
%systemroot%\security\logs\scesetup.logSecurity Configuration EngineW2K, WXP, W2K3Security settings implemented during setup log

6. Internet Information Services (IIS)

During the installation of IIS 5.0, IIS 5.1 and IIS 6, events are logged in the iis5.log or iis6.log.

By default, Internet services (HTTP, FTP, SMTP, NNTP) log requests in files stored under the LogFiles directory.

Table 16. Internet Information Services (IIS)

FilenameService or programWindows versionDescription
%systemroot%\iis5.logIIS 5W2KIIS 5.0 installation log
%systemroot%\iis6.logIIS 5.1, IIS 6WXP, W2K3IIS 5.1 and IIS 6.0 installation log
%systemroot%\system32\LogFiles\W3SVCX\IIS HTTP serviceW2K, WXP, W2K3IIS HTTP service access log
%systemroot%\system32\LogFiles\MSFTPSVCX\IIS FTP serviceW2K, WXP, W2K3IIS FTP service access log
%systemroot%\system32\LogFiles\HTTPERR\httperrX.loghttp.sys driverWXP SP2, W2K3http.sys driver error log

7. Routing and Remote Access service

Tracing for the RRAS service is typically enabled using netsh (set tracing command in the ras context). For each RRAS component that supports tracing, a registry key is stored under the Tracing key:

Key: HKLM\SOFTWARE\Microsoft\Tracing

For each component, file logging is enabled when the EnableFileTracing registry value is set to 1 and when a tracing mask is specified in the FIleTracingMask value.

Log files are named after the name of registry keys under the Tracing key. For instance, the NETSHELL.LOG file contains tracing for the NETSHELL component.

Table 17. Routing and Remote Access service

FilenameService or programWindows versionDescription
%systemroot%\tracing\BAP.LOG
%systemroot%\tracing\conftsp.LOG
%systemroot%\tracing\EAPOL.LOG
%systemroot%\tracing\IASACCT.LOG
%systemroot%\tracing\IASNAP.LOG
%systemroot%\tracing\IASRAD.LOG
%systemroot%\tracing\IASSAM.LOG
%systemroot%\tracing\IASSDO.LOG
%systemroot%\tracing\IASSVCS.LOG
%systemroot%\tracing\IGMPv2.LOG
%systemroot%\tracing\IPMGM.LOG
%systemroot%\tracing\IPNATHLP.LOG
%systemroot%\tracing\IPRouterManager.LOG
%systemroot%\tracing\KMDDSP.LOG
%systemroot%\tracing\NDPTSP.LOG
%systemroot%\tracing\NETMAN.LOG
%systemroot%\tracing\NETSHELL.LOG
%systemroot%\tracing\PPP.LOG
%systemroot%\tracing\RASBACP.LOG
%systemroot%\tracing\RASCCP.LOG
%systemroot%\tracing\RASCHAP.LOG
%systemroot%\tracing\RASDLG.LOG
%systemroot%\tracing\RASEAP.LOG
%systemroot%\tracing\RASIPCP.LOG
%systemroot%\tracing\RASIPHLP.LOG
%systemroot%\tracing\RASMAN.LOG
%systemroot%\tracing\RASPAP.LOG
%systemroot%\tracing\RASSPAP.LOG
%systemroot%\tracing\RASTAPI.LOG
%systemroot%\tracing\RASTLS.LOG
%systemroot%\tracing\Router.LOG
%systemroot%\tracing\RTM.LOG
%systemroot%\tracing\tapi32.LOG
%systemroot%\tracing\tapisrv.LOG
%systemroot%\tracing\Wlpolicy.LOG
%systemroot%\tracing\WZCTrace.LOG
RRAS serviceW2K, WXP, W2K3Routing and Remote Access service tracing files

8. WMI (Windows Management Instrumentation)

The WMI framework manage several log files. The Logging Directory registry value specifiy the directory where these files are stored:

Key: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM
Value: Logging Directory (REG_SZ)
Default value: %SystemRoot%\system32\WBEM\Logs

The Logging registry value can be set to 0 (logging disabled), 1 (errors only) or 2 (verbose logging):

Key: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM
Value: Logging (REG_DWORD)

These registry values can be modified in the Logging tab of the WMI Control MMC snapin.

Table 18. WMI (Windows Management Instrumentation)

FilenameService or programWindows versionDescription
%systemroot%\system32\wbem\logs\setup.logWMIW2K, WXP, W2K3MOF files compilation log
%systemroot%\system32\wbem\logs\WinMgmt.logWMIW2K, WXP, W2K3WinMgmt.exe log
%systemroot%\system32\wbem\logs\wbemcore.logWMIW2K, WXP, W2K3WMI error messages log
%systemroot%\system32\wbem\logs\FrameWork.logWMIW2K, WXP, W2K3Trace information and error messages for the provider framework and the Win32 Provider.
%systemroot%\system32\wbem\logs\wbemess.logWMIW2K, WXP, W2K3Log entries related to events
%systemroot%\system32\wbem\logs\wbemprox.logWMIW2K, WXP, W2K3Trace information for the WMI proxy server
%systemroot%\system32\wbem\logs\Mofcomp.logWMIW2K, WXP, W2K3Compilation details from the MOF compiler
%systemroot%\system32\wbem\logs\wmiadap.logWMIW2K, WXP, W2K3Error messages related to the AutoDiscoveryAutoPurge (ADAP) process
%systemroot%\system32\wbem\logs\wmiprov.logWMIW2K, WXP, W2K3Management data and events from WMI-enabled Windows Driver Model (WDM) drivers
%systemroot%\system32\wbem\logs\ntevt.logWMIW2K, W2K3Trace messages from the Event Log Provider
%systemroot%\system32\wbem\logs\Dsprovider.logWMIW2K, WXP, W2K3Trace information and error messages for the Directory Services Provider
%systemroot%\system32\wbem\logs\WMIC.LOGWMIWXP, W2K3wmic.exe errors log

9. Miscellanous

Table 19. Miscellanous

FilenameService or programWindows versionDescription
%systemroot%\Debug\PASSWD.LOGSecurity Accounts Manager (SAM) serviceW2K, WXP, W2K3Log file for the SamChangePasswordUser2 API (used by the Change Password dialog box available after the Control-Alt-Delete sequence)
%systemroot%\Debug\UserMode\userenv.logWinlogonW2K, WXP, W2K3User environment settings debugging
%systemroot%\system32\LogFiles\Shutdown\ShutDown_XXX.xmlSystem State Data FeatureWXP, W2K3System shutdown log
%systemroot%\Pfirewall.logWindows firewallWXP, W2K3Windows firewall log
%systemroot%\DtcInstall.logDistributed Transaction Coordinator serviceW2K3MS DTC service installation log
%systemroot%\tsoc.logTerminal ServicesW2K, WXP, W2K3Terminal Services installation log
Last modified on 4 November 2010 at 09:32:14 CET - webmaster@hsc.fr
Information on this server - © 1989-2013 Hervé Schauer Consultants