|T O P I C R E V I E W
||Posted - 04/02/2012 : 12:24:26 PM
For security compliance purposes, I've added the following events to our syslog monitoring/alerting:
Event IDs having a source of “Windows File Protection”
Now I'm trying to generate one of these events, preferably on a Windows 7 system, so that we can setup alerts. I've been doing scans and verify checks with SFC (System File Checker) but so far no luck in triggering any System Event Log events.
Any idea on the best way to generate these?
|5 L A T E S T R E P L I E S (Newest First)
||Posted - 05/05/2012 : 09:22:47 AM
Sorry if I was unclear. As I stated, "..what equivalent event IDs might exist for Windows 7 and 2008 server. I doubt any of those would share the "Windows File Protection" source". Yes, finding info for the older (XP) ID's is easy. I'm still looking for detail on newer (Win7/2008) IDs that I'm guessing may now have a "Windows Resource Protection" source. I don't even know if the event ID numbers would be the same, let alone the source or contents.
Ideally I need a way to *generate* a valid WRP event on a Win7/2008 machine to determine those details, in similar fashion as I did for the 64002 event in XP (by renaming a system dll). But to do so in the latest OS versions you must take ownership (from TrustedInstaller) for the file which, as far as I can tell, doesn't generate any similar System events. I'm trying to find a method to simulate a malicious action and then be able to detect that WRP did it's job.
||Posted - 05/05/2012 : 05:12:17 AM
You wrote that you've set up syslog monitoring based on "Event IDs having a source of “Windows File Protection”".
For that, the command should be enough just to test IF the monitoring tool does what it should.
Unless it also looks at the content of the event... in that case a little Google search on "event windows <code>" would do the trick on providing such information:
64001 = http://support.microsoft.com/kb/222193
64004 = http://www.eventid.net/display.http://www.eventid.net/display-eventid-64002-source-Windows%20File%20Protection-eventno-169-phase-1.htmasp?eventid=64004&eventno=1171&source=Windows%20File%20Protection&phase=1
64005 = http://www.errorhelp.com/search/details/15277/event-id-64005-source-windows-file-protection-type-information-description-the-protected-system-file-was-not-restored-to-its-original-valid-version-because-the-windows-file-protection-restora
64021 = http://support.microsoft.com/kb/816838
||Posted - 05/03/2012 : 11:07:01 AM
Tx Jeff. However without knowing exactly WHAT the details are of any associated WRP (Windows Resource Protection) event IDs that might exist, I can't attempt to create any for testing.
I'm still trying to find event ID detail for equivalent WFP events but on Win7/2008. So far, finding any event ID info has been frustrating.
||Posted - 05/03/2012 : 09:26:53 AM
Use PowerShell to generate some events... The following (or something similar, not sure about the source) should do the trick:
Write-EventLog -ComputerName Server01 -LogName Application -Source "SFC" -EventId 64001 -Message "Generated test event to test the monitoring system for SFC events."
||Posted - 05/02/2012 : 3:40:34 PM
So...a 64002 is easy to generate in Windows XP.
However, I'm trying to find what equivalent event IDs might exist for Windows 7 and 2008 server. I doubt any of those would share the "Windows File Protection" source, since the associated service looks like it's now "TrustedInstaller".