Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
 All Forums
 General Forum
 Miscellany (Technical)
 SFC Event Testing

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
Note: please do not cross-post.
Cross-postings will be deleted and ignored.
Thanks for helping to keep this forum junk-free!
Check here to subscribe to this topic.
   

T O P I C    R E V I E W
Mamba Posted - 04/02/2012 : 12:24:26 PM
For security compliance purposes, I've added the following events to our syslog monitoring/alerting:
Event IDs having a source of “Windows File Protection”
64001
64002
64004
64005
64021

Now I'm trying to generate one of these events, preferably on a Windows 7 system, so that we can setup alerts. I've been doing scans and verify checks with SFC (System File Checker) but so far no luck in triggering any System Event Log events.
Any idea on the best way to generate these?

Tx, M
5   L A T E S T    R E P L I E S    (Newest First)
Mamba Posted - 05/05/2012 : 09:22:47 AM
Sorry if I was unclear. As I stated, "..what equivalent event IDs might exist for Windows 7 and 2008 server. I doubt any of those would share the "Windows File Protection" source". Yes, finding info for the older (XP) ID's is easy. I'm still looking for detail on newer (Win7/2008) IDs that I'm guessing may now have a "Windows Resource Protection" source. I don't even know if the event ID numbers would be the same, let alone the source or contents.
Ideally I need a way to *generate* a valid WRP event on a Win7/2008 machine to determine those details, in similar fashion as I did for the 64002 event in XP (by renaming a system dll). But to do so in the latest OS versions you must take ownership (from TrustedInstaller) for the file which, as far as I can tell, doesn't generate any similar System events. I'm trying to find a method to simulate a malicious action and then be able to detect that WRP did it's job.
JeffWouters Posted - 05/05/2012 : 05:12:17 AM
You wrote that you've set up syslog monitoring based on "Event IDs having a source of “Windows File Protection”".
For that, the command should be enough just to test IF the monitoring tool does what it should.
Unless it also looks at the content of the event... in that case a little Google search on "event windows <code>" would do the trick on providing such information:
64001 = http://support.microsoft.com/kb/222193
64002 =
64004 = http://www.eventid.net/display.http://www.eventid.net/display-eventid-64002-source-Windows%20File%20Protection-eventno-169-phase-1.htmasp?eventid=64004&eventno=1171&source=Windows%20File%20Protection&phase=1
64005 = http://www.errorhelp.com/search/details/15277/event-id-64005-source-windows-file-protection-type-information-description-the-protected-system-file-was-not-restored-to-its-original-valid-version-because-the-windows-file-protection-restora
64021 = http://support.microsoft.com/kb/816838
Mamba Posted - 05/03/2012 : 11:07:01 AM
Tx Jeff. However without knowing exactly WHAT the details are of any associated WRP (Windows Resource Protection) event IDs that might exist, I can't attempt to create any for testing.
I'm still trying to find event ID detail for equivalent WFP events but on Win7/2008. So far, finding any event ID info has been frustrating.
JeffWouters Posted - 05/03/2012 : 09:26:53 AM
Use PowerShell to generate some events... The following (or something similar, not sure about the source) should do the trick:
Write-EventLog -ComputerName Server01 -LogName Application -Source "SFC" -EventId 64001 -Message "Generated test event to test the monitoring system for SFC events."
Mamba Posted - 05/02/2012 : 3:40:34 PM
So...a 64002 is easy to generate in Windows XP.
However, I'm trying to find what equivalent event IDs might exist for Windows 7 and 2008 server. I doubt any of those would share the "Windows File Protection" source, since the associated service looks like it's now "TrustedInstaller".
Anyone??

Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.08 seconds. Snitz Forums 2000