Saturday, July 15, 2006

Event Log Explorer

Have you ever wanted more options and features in Windows' Event Viewer?!?! Well, Event Log Explorer seems like a pretty good alternative to Event Viewer.

Here is the feature list, directly from the source:
  • Multi-document user interface (MDI) to view several event logs at one time
  • Favorites computers and their logs are grouped into a tree
  • Viewing event logs and event logs files
  • Archiving event logs
  • Event descirptions are in the log window
  • Event list can be sorted by any column and in any direction
  • Advanced filtering by any criteria including event description text
  • Quick Filter feature allows you to filter event log in a couple of mouse clicks
  • Fast search by any criteria Sending event logs to printer
  • Export log to different formats

More details here - http://www.eventlogxp.com/.

See my previous post for reference on eventquery.vbs - a quick way to run a filter query on event repositry.

Sunday, July 09, 2006

How To Recover Local Administrator Password

This post was drafted few months ago.

There are plenty of tools available on the net - commercial as well as free, which can be used for resetting/recovering the local administrator password, but this time when I ran into the issue, none that we used to have, worked. A user's machine running Windows 2003 Standard Edition was out of domain, and later we realized that the local administrator's password was already changed from the default one. Obviously user wasn't able to recall that password. Since the machine was also running the development environment, user requested not to reformat/reimage.

For these kind of scenarios, we almost always used Offline NT Password and Registry Editor http://home.eunet.no/~pnordahl/ntpasswd/, but for some reason, this utility failed to reset the password on this machine. I would assume, it failed because of the Windows OS architectural changes incorporated in XP SP2/W2K SP1.

While looking for an alternative I came across www.loginrecovery.com which offers a free bootable downloadable CD image of about 1.5 MB. Once booted, this utility shows all the local user accounts and their corresponding password hashes. According to the website, you are supposed to note down these hashes are they are displayed on the screen, in a text file and upload that file on their website. They take 2-3 days to revert with the password for free, and charge few dollars for immediate delivery.

Not willing to pay or wait for 2-3 days, I went ahead and started searching for free programs which can crack given MD5/LM/NTLM hashes, and came across MDCrack http://c3rb3r.openwall.net/mdcrack/. At first this utility crashed when I tried running on my XP with SP2 system. I had to set compatibility mode of this program to Windows 2000 to be able to run it successfully. Using the password hashes noted above in this program, chose appropriate algorithm (Algorithm - MD5/MD4/NTLM1), and let the program run brute force algorithm to decode the password.

References:
Ophcrack - http://sourceforge.net/projects/ophcrack/
John the ripper - http://www.openwall.com/john/

Friday, July 07, 2006

How to audit and track file deletions

  • Enable Audit Policy: On the machine where you want to track file deletion, go to Administrative Tools->Local Security Policy->Audit Policy , double click "Audit Object Access" on the right pane and switch-on "Success" & "Failure".
  • Enable auditing for user/group: You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion.
    • Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab.
    • Click on Advanced , and select Auditing Tab.
    • Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE .
    • On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties.
  • These configurations will generate file/folder access audit logs for the configured folder in Securit Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .
  • Any file deletion operation will generate two events with event ID 560. After you've realized that your target file has been deleted, you'll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer->Security, select Filter...).
  • If you quickly want to find out if your configured machine generated any file deletion event log, run the following command on your own (networked) machine. This will work only on XP and above, therefore, you can use this to query for security logs from Windows 2000 machines. Run cscript //h:cscript //s //nologo at least once on your system before executing the following command.

eventquery.vbs /S <Target_System_Name> /FI "ID eq 560" /L Security /V
/FI : Filter
/L : Log name {Application | Security | System}
/V : Verbose output

To know more about the above command, read here
.

  • A typical security log with file deletion details will look something like this:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: GKY\Raj
Computer: GKY
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Test\testdoc.txt
Handle ID: 1756
Operation ID: {0,3190200}
Process ID: 4040
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Raj
Primary Domain: GKY
Primary Logon ID: (0x0,0x40C41)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE

ReadAttributes

NOTE:

  • Ensure that security log is set not to overwrite itself, and has sufficient size to hold logs spanning many days. You can configure these settings by right-clicking on Security subfolder inside Event Viewer.
  • You might want to test these settings by deleting few files yourself before assuming it'll deliver what you expect!

Update:Just found a better alternative to built-in Event Viewer - http://www.eventlogxp.com/