// System · Windows
Windows Event Logs & IIS
Windows Event Logs are binary XML-based structured logs accessible via Event Viewer, Get-WinEvent, or wevtutil. IIS uses the W3C Extended Log Format. Critical for Windows Server, Active Directory, and IIS environments.
Event Log Channels
| Channel | Path | Contents |
|---|---|---|
| Application | …\Application.evtx | Events from applications and services: SQL Server, IIS app pool, .NET runtime errors. |
| System | …\System.evtx | OS events: driver failures, hardware errors, service start/stop, NTP sync, stop errors (BSOD). |
| Security | …\Security.evtx | Auth, authorization, account management, policy changes. Requires audit policy configured. |
| Setup | …\Setup.evtx | Windows Update, component installation, role/feature changes. |
| Forwarded Events | …\ForwardedEvents.evtx | Events collected from remote machines via Windows Event Forwarding (WEF). |
| Microsoft-Windows-* | Various under Apps and Services | Granular subsystem logs: PowerShell, WMI, Task Scheduler, Defender, DNS, DHCP, etc. |
Event Record Fields
| Field | Meaning |
|---|---|
| EventID | 4-digit numeric identifier. Unique within a provider. The primary field for filtering. |
| Level | 0=LogAlways, 1=Critical, 2=Error, 3=Warning, 4=Information, 5=Verbose. |
| TimeCreated | UTC timestamp in ISO 8601. Windows stores all times as UTC; Event Viewer converts to local for display. |
| Computer | Hostname of machine that generated the event. |
| Channel | Log channel: Application, System, Security, etc. |
| Provider Name | Component that logged the event. E.g. "Microsoft-Windows-Security-Auditing". |
| Task / Opcode | Sub-categorization within a provider. Helps distinguish event variants. |
| Keywords | Bitmask. E.g. Audit Success / Audit Failure in Security log. |
| EventData | Variable XML fields specific to each EventID. Contains usernames, IPs, paths. |
| ActivityID | GUID linking related events across providers for correlation. |
| ProcessID / ThreadID | PID and TID of the process that generated the event. |
Critical Security Event IDs
| Event ID | Name | Significance & Key Fields |
|---|---|---|
| 4624 | Successful logon | Check Logon Type: 2=interactive, 3=network, 10=RDP, 4=batch, 5=service. Also check TargetUserName and IpAddress. |
| 4625 | Failed logon | Check SubStatus: 0xC000006A=bad password, 0xC0000064=unknown username. Repeated = brute force. |
| 4634 / 4647 | Logoff | Correlate with 4624 via LogonID for session duration. 4647 = user-initiated logoff. |
| 4648 | Explicit credential logon | RunAs or network resource with alternate credentials. Can indicate privilege escalation. |
| 4672 | Special privileges at logon | Admin/privileged account logon. Always accompanies 4624 for admin accounts. Investigate if unexpected. |
| 4688 | New process created | Process creation with command line (requires audit policy). Essential for detecting malware execution chains. |
| 4698 / 4702 | Scheduled task created/modified | Task Scheduler manipulation. Common malware persistence mechanism. Check TaskName and task content. |
| 4720 | User account created | New account. Unauthorized creation = serious indicator of compromise. |
| 4722 / 4725 | Account enabled/disabled | Account state changes. Re-enabling a disabled admin account is suspicious. |
| 4728 / 4732 / 4756 | Member added to group | Group membership changes. 4728=global, 4732=local, 4756=universal. Watch for Administrators, Domain Admins. |
| 4740 | Account locked out | Check source workstation. Could be brute force or expired password cached in a service/app. |
| 4768 / 4769 | Kerberos TGT / service ticket | 4768=user logon TGT; 4769=service access. Failure = Pass-the-Hash, expired password, or clock skew. |
| 4776 | NTLM auth attempt | Legacy NTLM. Should be rare in modern AD. 0xC000006A = bad password. |
| 4946 / 4948 | Firewall rule added/deleted | Windows Firewall rule changes. Attackers often add rules to allow inbound connections. |
| 7034 | Service crashed | Service crashed unexpectedly (System log). Repeated = stability issue or exploit attempt. |
| 7045 | New service installed | New service registered (System log). Common malware persistence. Check ImagePath and ServiceName. |
| 1102 | Audit log cleared | Security log cleared. ALWAYS suspicious unless scheduled maintenance. Investigate immediately. |
| 4719 | System audit policy changed | Audit policy modified. Attackers may disable auditing to cover tracks. |
🚨 Critical Alert
Event ID 1102 (security log cleared) should trigger an immediate alert in any security monitoring setup. Legitimate administrators rarely clear the security log. This is a strong indicator of an attacker attempting to cover their tracks.
IIS Log Format (W3C Extended)
Default location: C:\inetpub\logs\LogFiles\W3SVC{site_id}\u_ex{YYMMDD}.log
#Software: Microsoft Internet Information Services 10.0 #Date: 2025-04-10 14:00:00 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2025-04-10 14:05:33 10.0.0.5 GET /index.html - 443 - 203.0.113.42 Mozilla/5.0+... https://referrer.com/ 200 0 0 234
W3C Field Reference
| Field | cs/s/sc/c prefix | Meaning |
|---|---|---|
| date / time | — | Date and time in UTC. IIS logs UTC — remember to convert for local time analysis. |
| s-ip | server | Server IP address that received the request. |
| cs-method | client→server | HTTP method: GET, POST, PUT, DELETE, HEAD, OPTIONS. |
| cs-uri-stem | client→server | URI path without query string. |
| cs-uri-query | client→server | Query string. Hyphen if none. |
| s-port | server | Server port that received request (80, 443). |
| cs-username | client→server | Authenticated Windows username. Hyphen for anonymous. |
| c-ip | client | Client IP address. |
| cs(User-Agent) | client→server | User-Agent header, URL-encoded (spaces become +). |
| cs(Referer) | client→server | HTTP Referer header. |
| sc-status | server→client | HTTP response status code. |
| sc-substatus | server→client | IIS-specific substatus. 0 = no substatus. See table below for common codes. |
| sc-win32-status | server→client | Windows error code. 0 = success. Non-zero = OS-level failure (look up in winerror.h). |
| time-taken | — | Request duration in milliseconds. Use for performance analysis. |
Notable IIS Substatus Codes
| Status.Sub | Meaning |
|---|---|
| 401.1 | Logon failed (anonymous denied) |
| 401.3 | Unauthorized due to ACL on resource |
| 403.6 | IP address rejected by IP restriction rules |
| 403.14 | Directory listing denied |
| 404.0 | File or directory not found |
| 404.7 | File extension denied by request filtering |
| 404.11 | Double-escape sequence rejected (security filter) |
| 500.19 | Config data invalid — web.config error |
| 500.100 | Internal ASP error — check ASP error details |
| 503.0 | Application pool unavailable — check app pool status |
PowerShell Log Query Examples
PowerShell
# Get last 50 errors from System log Get-WinEvent -LogName System -MaxEvents 50 | Where-Object { $_.Level -eq 2 } | Select-Object TimeCreated, Id, Message # Find all failed logins (EventID 4625) Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4625]]" -MaxEvents 100 # Find successful logins with details (EventID 4624) $filter = @{ LogName = 'Security' Id = 4624 StartTime = (Get-Date).AddHours(-24) } Get-WinEvent -FilterHashtable $filter | ForEach-Object { $xml = [xml]$_.ToXml() [PSCustomObject]@{ Time = $_.TimeCreated User = $xml.Event.EventData.Data[5].'#text' LogonType = $xml.Event.EventData.Data[8].'#text' SourceIP = $xml.Event.EventData.Data[18].'#text' WorkStation = $xml.Event.EventData.Data[11].'#text' } } # Export failed logins to CSV Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4625]]" | Select-Object TimeCreated, Message | Export-Csv C:\Temp\failed_logins.csv -NoTypeInformation # Detect new services (possible malware persistence) Get-WinEvent -LogName System -FilterXPath "*[System[EventID=7045]]" # Check if security log was cleared (CRITICAL) Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=1102]]" # Find locked out accounts (4740) Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4740]]" | ForEach-Object { $xml = [xml]$_.ToXml() [PSCustomObject]@{ Time = $_.TimeCreated Account = $xml.Event.EventData.Data[0].'#text' LockedFrom = $xml.Event.EventData.Data[1].'#text' } } # Parse IIS logs for slow requests (>5s = 5000ms) Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\u_ex250410.log" | Where-Object { $_ -notlike '#*' } | ConvertFrom-Csv -Delimiter ' ' -Header date,time,sip,method,uri,query,sport,csuser,cip,ua,ref,status,substatus,win32status,timetaken | Where-Object { [int]$_.timetaken -gt 5000 } | Select-Object date, time, method, uri, status, timetaken | Sort-Object timetaken -Descending | Select-Object -First 20