Windows Event Viewer is one of the most valuable—but underused—security tools built into Windows. With the right audit settings and a few saved queries, you can spot suspicious logons, privilege abuse, persistence, script abuse, and malware execution without extra software.
This guide covers:
1) Quick Start: Prepare Windows to Log the Right Data
Event Viewer can only show what Windows is configured to log. Spend 5 minutes enabling these:
A. Enable Advanced Audit Policy (Local/Group Policy)
Local Security Policy → Advanced Audit Policy Configuration → Audit Policies
B. PowerShell Logging (for script abuse)
Group Policy → Administrative Templates → Windows Components → Windows PowerShell
C. Microsoft Defender & Other Operational Logs
Applications and Services Logs → Microsoft → Windows
D. Log Size & Retention
2) Event Viewer Basics That Matter for Security
Logon Types (for Event ID 4624/4625)
3) Must-Watch Security Event IDs (Cheat Sheet)
Authentication & Accounts
Execution & Changes
4) Fast Filtering with XML (Copy-Paste Ready)
A. Failed admin logons (local machine), exclude computer accounts
B. Successful RDP logons (4624 with LogonType=10)
C. New processes with suspicious interpreters (4688)
D. Privilege elevations (4672)
E. Defender detections (Malware found)
How to use: Event Viewer → a log → Create Custom View… → XML tab → Edit query manually → Paste → Save → name it (e.g., “RDP Success Logons”).
5) Power Users: Query Logs with PowerShell (Get-WinEvent)
Last 50 failed logons
Process creations containing ‘-enc’ (often used to obfuscate PowerShell)
Successful RDP logons in the last 24h
Export a Saved View to share
6) Practical Playbooks
Playbook A: “Was my machine accessed remotely?”
Playbook B: “Did someone tamper with my security settings?”
Playbook C: “New local admin suddenly?”
7) Saving Time: Custom Views & Subscriptions
8) Tuning & Noise Reduction
9) Optional: Sysmon for Deep Process & Network Telemetry
If you’re comfortable with extra tooling, Sysmon (from Microsoft) adds rich event data (hashes, network connects, image loads). Use a reputable baseline config and view logs under:
Applications and Services Logs → Microsoft → Windows → Sysmon/Operational
Key events: 1 (Process Create), 3 (Network Connect), 11 (File Create), 13 (Registry), 22 (DNS).
(If you don’t need this depth yet, stick to native 4688 + PowerShell logs.)
10) Monthly Security Checklist (15 minutes)
Export anything suspicious with Save All Events As… to preserve evidence.
Common Pitfalls (and Fixes)
Conclusion
With the right audit policies and a handful of saved views, Event Viewer becomes a powerful security dashboard. Start with authentication and process-creation events, add PowerShell and Defender operational logs, and review them on a monthly cadence. When something feels off, the evidence is already there—you just need to read it.
This guide covers:
- What to log (and how to enable it correctly)
- The must-watch security event IDs
- Fast filtering with XML and PowerShell
- Saved views, subscriptions, retention, and alerting tips
- Practical playbooks you can run monthly (or when something looks off)
1) Quick Start: Prepare Windows to Log the Right Data
Event Viewer can only show what Windows is configured to log. Spend 5 minutes enabling these:
A. Enable Advanced Audit Policy (Local/Group Policy)
Local Security Policy → Advanced Audit Policy Configuration → Audit Policies
- Account Logon / Logon-Logoff
- Logon (Success, Failure) → Event IDs 4624, 4625, 4634, 4647, 4672, 4776
- Object Access(optional; can be noisy)
- File System (Success, Failure) if investigating data access
- Policy Change
- Audit Policy Change (Success) → 4719, 4902–4912
- Privilege Use
- Sensitive Privilege Use (Success, Failure) → 4673, 4674
- System
- Security State Change / Integrity (Success) → 4608, 4609
- Account Management
- User/Group changes (Success) → 4720–4732, 4738, 4740, 4767
- Detailed Tracking
- Process Creation (Success) → 4688
- Process Termination (Success) → 4689
B. PowerShell Logging (for script abuse)
Group Policy → Administrative Templates → Windows Components → Windows PowerShell
- Turn on Module Logging
- Turn on PowerShell Script Block Logging
- Logs to Windows PowerShell and PowerShell/Operational channels (Event IDs 4103, 4104)
C. Microsoft Defender & Other Operational Logs
Applications and Services Logs → Microsoft → Windows
- Windows Defender/Operational (detections, remediation)
- TaskScheduler/Operational (persistence via tasks)
- TerminalServices-LocalSessionManager/Operational (RDP)
- DNS Client Events (name resolution anomalies)
- AppLocker/MSI/Script (if using AppLocker)
D. Log Size & Retention
- Right-click Security → Properties → increase to 256–1024 MB (or more on servers).
- Choose Overwrite events as needed (unless you forward/centralize logs).
2) Event Viewer Basics That Matter for Security
- Windows Logs → Security: Authentication, authorization, policy changes, process creation.
- Applications and Services Logs: App-specific and OS component logs (PowerShell, Task Scheduler, Defender).
- Custom Views: Your saved dashboards—create once, reuse forever.
- Filter Current Log…: Quick filters by Event ID, Keywords, User, Computer, XML.
Logon Types (for Event ID 4624/4625)
- 2: Interactive (local console)
- 3: Network (SMB/file shares; lateral movement often shows here)
- 7: Unlock
- 10: RemoteInteractive (RDP)
- 11: CachedInteractive (cached domain logon)
3) Must-Watch Security Event IDs (Cheat Sheet)
Authentication & Accounts
- 4624: Successful logon (check LogonType; 10=RDP, 3=Network)
- 4625: Failed logon (bad passwords/brute force)
- 4634 / 4647: Logoff / user-initiated logoff
- 4672: Special privileges assigned (e.g., SeDebugPrivilege) → admin-level session
- 4740: Account locked out
- 4720–4726: User account created/changed/deleted
- 4732 / 4733: Added/removed from local security-sensitive groups (e.g., Administrators)
- 4768–4771: Kerberos tickets (domain joined)
Execution & Changes
- 4688: Process creation (with command line)
- 4689: Process termination
- 4719: System audit policy changed (who changed logging)
- 1102: Security log cleared (critical)
- 4697: Service installed (persistence)
- 106 / 140 (TaskScheduler Operational): Task registered/updated (persistence)
- 4103 / 4104 (PowerShell): Module/script block logging (living-off-the-land attacks)
- 1116 / 1117 (Defender Operational): Malware detected & action taken
4) Fast Filtering with XML (Copy-Paste Ready)
A. Failed admin logons (local machine), exclude computer accounts
Code:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">
*[System[(EventID=4625)]]
and
*[EventData[Data[@Name='TargetUserName'] != '']]
and
*[EventData[not(starts-with(Data[@Name='TargetUserName'],'$'))]] </Select> </Query> </QueryList>B. Successful RDP logons (4624 with LogonType=10)
Code:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">
*[System[(EventID=4624)]]
and
*[EventData[Data[@Name='LogonType']='10']] </Select> </Query> </QueryList>C. New processes with suspicious interpreters (4688)
Code:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">
*[System[(EventID=4688)]]
and
*[EventData[
(Data[@Name='NewProcessName'] = 'C:\Windows\System32\cmd.exe' or
Data[@Name='NewProcessName'] = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' or
Data[@Name='NewProcessName'] = 'C:\Windows\System32\wscript.exe' or
Data[@Name='NewProcessName'] = 'C:\Windows\System32\cscript.exe')
]] </Select> </Query> </QueryList>D. Privilege elevations (4672)
Code:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4672)]]</Select> </Query> </QueryList>E. Defender detections (Malware found)
Code:
<QueryList> <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"> <Select Path="Microsoft-Windows-Windows Defender/Operational">
*[System[(EventID=1116 or EventID=1117)]] </Select> </Query> </QueryList>How to use: Event Viewer → a log → Create Custom View… → XML tab → Edit query manually → Paste → Save → name it (e.g., “RDP Success Logons”).
5) Power Users: Query Logs with PowerShell (Get-WinEvent)
Last 50 failed logons
Code:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 50 |
Select-Object TimeCreated, Id, @{n='User';e={$*.Properties[5].Value}}, @{n='Ip';e={$*.Properties[19].Value}}Process creations containing ‘-enc’ (often used to obfuscate PowerShell)
Code:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Message -match '-enc' } |
Select TimeCreated, MessageSuccessful RDP logons in the last 24h
Code:
$since = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$since} |
Where-Object { $_.Message -match 'Logon Type:\s+10' } |
Select TimeCreated, MessageExport a Saved View to share
Code:
wevtutil epl Security "C:\Temp\SecurityLog.evtx"6) Practical Playbooks
Playbook A: “Was my machine accessed remotely?”
- 4625 (Security): Filter for failures against your account from unknown IPs.
- 4624 (Security): Look for LogonType=10 (RDP) or 3 (Network) at odd hours.
- 4672 (Security): Any privileged logon shortly after a remote logon?
- TaskScheduler/Operational: New tasks (106/140) created around the same time.
- 4688 (Security): PowerShell/cmd/wscript launches and suspicious command lines.
Playbook B: “Did someone tamper with my security settings?”
- 4719 (Security): System audit policy changed—who did it?
- 1102 (Security): Security log cleared—by whom and when?
- Defender/Operational: Any detection (1116/1117) near that time?
Playbook C: “New local admin suddenly?”
- 4732: User added to Administrators group.
- 4720: New local account created.
- 4624/4672: Did that account log on and get elevated rights?
7) Saving Time: Custom Views & Subscriptions
- Custom Views: Build once, then click to triage. Suggested folder:
Authentication – Failures
Admin Elevations
Process Creation – Interpreters- 🛡 Defender Detections
- Event Subscriptions(centralize on one PC/server)
- Event Viewer → Subscriptions → Create Subscription…
- Add Source Computers (requires WinRM/Firewall rules)
- Ideal for homes/offices with multiple endpoints.
8) Tuning & Noise Reduction
- Exclude known chatty services from your Process Creation saved view (by NewProcessName).
- Only enable Object Access for folders you care about (via Audit File System + folder SACLs).
- Increase Security log size to avoid overwrites during incidents.
- If a legitimate tool is noisy, create a separate view for it rather than disabling auditing.
9) Optional: Sysmon for Deep Process & Network Telemetry
If you’re comfortable with extra tooling, Sysmon (from Microsoft) adds rich event data (hashes, network connects, image loads). Use a reputable baseline config and view logs under:
Applications and Services Logs → Microsoft → Windows → Sysmon/Operational
Key events: 1 (Process Create), 3 (Network Connect), 11 (File Create), 13 (Registry), 22 (DNS).
(If you don’t need this depth yet, stick to native 4688 + PowerShell logs.)
10) Monthly Security Checklist (15 minutes)
- Securitylog:
- Filter 4625 failures: new IPs? odd hours?
- Filter 4624 with LogonType 10 & 3
- Scan 4672 privileged logons
- Account changes: 4720–4732, 4740
- Process creation: 4688 for interpreters & suspicious flags (-enc, -nop, -w hidden)
- Policy & tamper: 4719, 1102
- Defender: 1116/1117 detections and actions
- PowerShell: 4103/4104 unusual scripts
Export anything suspicious with Save All Events As… to preserve evidence.
Common Pitfalls (and Fixes)
- No 4688 command lines → Enable “Include command line in process creation events.”
- Security log keeps overwriting → Increase log size; consider Event Forwarding.
- Too many false positives → Narrow XML filters (specific EventData fields), or separate “noisy but safe” into its own view.
- No RDP events but remote login suspected → Check TerminalServices-LocalSessionManager/Operational and Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational.
Conclusion
With the right audit policies and a handful of saved views, Event Viewer becomes a powerful security dashboard. Start with authentication and process-creation events, add PowerShell and Defender operational logs, and review them on a monthly cadence. When something feels off, the evidence is already there—you just need to read it.
