| Author |
 Topic  |
|
|
Mamba
Seasoned But Casual Onlooker
33 Posts
Status: offline |
 Posted - 04/02/2012 : 12:24:26 PM
|
For security compliance purposes, I've added the following events to our syslog monitoring/alerting:
Event IDs having a source of “Windows File Protection”
64001
64002
64004
64005
64021
Now I'm trying to generate one of these events, preferably on a Windows 7 system, so that we can setup alerts. I've been doing scans and verify checks with SFC (System File Checker) but so far no luck in triggering any System Event Log events.
Any idea on the best way to generate these?
Tx, M
|
|
|
Mamba
Seasoned But Casual Onlooker
33 Posts
Status: offline |
Posted - 05/02/2012 : 3:40:34 PM
|
So...a 64002 is easy to generate in Windows XP.
However, I'm trying to find what equivalent event IDs might exist for Windows 7 and 2008 server. I doubt any of those would share the "Windows File Protection" source, since the associated service looks like it's now "TrustedInstaller".
Anyone??
|
 |
|
|
JeffWouters
Here To Stay
Netherlands
147 Posts
Status: offline |
Posted - 05/03/2012 : 09:26:53 AM
|
Use PowerShell to generate some events... The following (or something similar, not sure about the source) should do the trick:
Write-EventLog -ComputerName Server01 -LogName Application -Source "SFC" -EventId 64001 -Message "Generated test event to test the monitoring system for SFC events." |
Greetsz,
Jeff. |
|
|
|
Mamba
Seasoned But Casual Onlooker
33 Posts
Status: offline |
Posted - 05/03/2012 : 11:07:01 AM
|
Tx Jeff. However without knowing exactly WHAT the details are of any associated WRP (Windows Resource Protection) event IDs that might exist, I can't attempt to create any for testing.
I'm still trying to find event ID detail for equivalent WFP events but on Win7/2008. So far, finding any event ID info has been frustrating. |
|
|
|
JeffWouters
Here To Stay
Netherlands
147 Posts
Status: offline |
|
|
Mamba
Seasoned But Casual Onlooker
33 Posts
Status: offline |
Posted - 05/05/2012 : 09:22:47 AM
|
Sorry if I was unclear. As I stated, "..what equivalent event IDs might exist for Windows 7 and 2008 server. I doubt any of those would share the "Windows File Protection" source". Yes, finding info for the older (XP) ID's is easy. I'm still looking for detail on newer (Win7/2008) IDs that I'm guessing may now have a "Windows Resource Protection" source. I don't even know if the event ID numbers would be the same, let alone the source or contents.
Ideally I need a way to *generate* a valid WRP event on a Win7/2008 machine to determine those details, in similar fashion as I did for the 64002 event in XP (by renaming a system dll). But to do so in the latest OS versions you must take ownership (from TrustedInstaller) for the file which, as far as I can tell, doesn't generate any similar System events. I'm trying to find a method to simulate a malicious action and then be able to detect that WRP did it's job. |
|
|
| |
Topic |
|
SFC Event Testing
