Geekly Articles each Day
📜 ⬆️ ⬇️

How to get Security Log with non-administrative user



Hi Habr! Read under cat how to get access to the Windows security log without administrator rights. This will not be the first article on Habré related to the Windows logs and probably not the most original, but in my opinion I spent too much time searching for a simple solution to read logs as a regular user, so I decided to share a “success story”.

We also had to compare the speed of the Powershell Get-WinEvent and Get-EventLog cmdlets.
')
All that is under the cut is relevant for Windows Server 2008R2 / 2012R2, Windows 10 Pro (1809), I did not check on other versions, I think the situation is similar with the products of 2016 and 2019.

And so, by default, an ordinary user does not have permission to read security logs.
When you try to get logs, you will get an error.



And through the Event Viewer access will also be denied.



Showtime


Add the user to the local group Event Log Readers .



Further we provide the rights to read the registry branch MACHINE \ System \ CurrentControlSet \ Services \ Eventlog \ Security .



Without changing the permissions on this registry branch, it will not be possible to read the parameters of the security log, respectively, it will not be possible to find out the location and the name of the log file. Security is the only section of the Eventlog service that does not inherit permissions from the root.

Here is what the permissions look like for MACHINE \ System \ CurrentControlSet \ Services \ Eventlog .



Check that both the Get-WinEvent and Get-EventLog cmdlets work!
I’ll come back to comparing these cmdlets later ...



Manage auditing and security log


If the user needs to be granted rights to clean up the log, you will have to edit the group policy. The user or group of users needs to add the rights Manage auditing and security log .

This group is located here Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment .



You can read more about Manage auditing and security log here.
If you are using files such as files, Active Directory objects, registry keys. Specify their system access control lists (SACL). It is clear that the user has been able to view the security log in the Event Viewer. See Audit object access.

We check, everything works as promised, the logs have been cleaned ...



There are no other logies to clean the rights.



Honestly, I can’t think of a scenario where the user needs to be given permission to clean up security logs, but this possibility is present.

Get-WinEvent VS Get-EventLog


It's time to compare these two cmdlets

Get-eventlog
Description:

Get-EventLog cmdlet information

You can use the cmdlet to find out for events. This cmdlet gets events that match the specified property values.

Cmdlets that contain event logs. Get-WinEvent.

Get-winEvent
Description:

The Get-WinEvent cmdlet logs get event logs, including the classic logs, such as the logs that are generated by the Windows Event. It also gets events in log files generated by Event Tracing for Windows (ETW).

Without parameters, it can get on the computer. To interrupt the command, press CTRL + C.

Get-WinEvent lists. You can get events from selected event logs generated by selected event providers. And, you can combine events with a single command. This cmdlet allows you to filter by the XPath queries, structured XML queries, and simplified hash-table queries.

According to the description, Get-WinEvent can work with a large number of journals that appeared in WIndows Vista .

For clarity, here are the lists that these cmdlets work with, I stopped the output for Get-WinEvent .



But there is one thing, performance matters, compare the query execution time.



The running time of Get-WinEvent is simply amazing, pay attention to the number of entries in the Applocation and Security logs, the number of events is approximately the same 3400-3600, but the difference in execution time is almost 20 times ...

Get-WinEvent spends 127 seconds versus 52 seconds Get-EventLog to read Application events.

And check and check, Get-WinEvent spends 2020 seconds against 45 seconds Get-EventLog to read Security events.

If you execute the same commands locally, everything looks not so bad, but even locally, Get-EventLog works with security logs 50 times faster than Get-WinEvent .



And one more example, already a little more meaningful, of receiving events with code 4624 An account was successfully logged on .



What can I say, the numbers do not lie ...

DC event logs


And at the conclusion, I left the topic of obtaining access to the security logs on the domain controller.

All of the above is relevant for the domain controller with some amendments.

1 - You will find the Event Log Readers group in the Built-in security principals objects.



By adding a user to this group, you only give permission to read logs on domain controllers.

And do not forget that on each of the domain controllers must be given the right to read the registry branch MACHINE \ System \ CurrentControlSet \ Services \ Eventlog \ Security .

Here is an example, to read the log of the member server of permissions is not, if you need to read logs from other machines of the domain, use group policies to add users or groups of users to local Event Log Readers groups.



2 - To add log cleanup rights, you must edit the Default Domain Controllers Policy .

3 - To allow tasks to run on behalf of the user to the domain controller, you must also edit the Default Domain Controllers Policy and give the user Log on as a batch job rights.

4 - Be extremely careful when editing the default domain policies!

PS

A short list of resources that helped me:


In my opinion useful publications on Habr, the topics of which relate to Windows logs:


The end

Source: https://habr.com/ru/post/443386/

More articles:


All Articles