1. LOG ANALYSIS ON WINDOWS EVENT LOG FILES
ASSIGNMENT SUBMITTED BY- Sreeja Swaminathan Puthan
REG NO -RA1512023010015
BRANCH&SPECIFICATION - II M.TECH ISCF
2. 1
LOG ANALYSIS ON WINDOWS EVENT LOG FILES
Log Analysis:
Log files are used to maintain a record of activities, e.g. activities of the operating
system, certain applications, etc.
Log files come in various formats, in general these formats can be divided in the following
categories:
Binary formats
Text-based formats
in-database
Event Viewer:
On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or
"Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the
EVTX files in both “general view” (and formatted view) and "details view" (which has both
a "friendly view" and "XML view"). Note that the formatted view can hide significant event
data that is stored in the event record and can be seen in the detailed view.
If you export an event log from Event Viewer additional "display information" can be
exported. This display information is stored in a corresponding file named:
LocaleMetaData%FILENAME%_%LCID%.MTA
Where LCID is the "locale identifier".
To view the Windows Setup event logs
1. Start the Event Viewer, expand the Windows Logs node, and then click System.
2. In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By
default, this file is available in the %WINDIR%Panther directory.
3. The log file contents appear in the Event Viewer.
3. 2
Fig-1: using open saved log in even viewer to display the saved log file for analysis
To Export the log to a file
From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml
or text file. For information about how to use these tools, see the command-line Help. The
following commands show examples of how to use the tools:
Tracerpt /l C:windowspanthersetup.etl
Fig-2: To dump the contents displayed in the event viewer using tracerpt into summary.txt
4. 3
Fig-3: Summary.txt path and file opened
Fig-4: For convenience the file is analyzed using notepad++
5. 4
LOG ANALYSIS USING LOG PARSER LIZARD AND LOG PARSER 2.2
Download and Install Log Parser lizard and Log Parser 2.2 from
https://www.microsoft.com/en-us/download/details.aspx?id=2465
Fig-5: Querying for event types from
System
Fig-6: Displaying the result table for event type
from System
ERROR EVENTS:
Below figure shows the list of error events occurred in event viewer
6. 5
Fig-5: Query to display all the error event type log from system
Fig-6: Displaying the error event log from System
Fig-7: Query to display the event type 10010 from system
7. 6
Fig-8: Displaying the result for the 10010 event type
DCOM- 10010 event Id error usually causes due to incorrect permissions.
To solve the DCOM-10010 following steps will help.
1. In the %windir%/registration folder, make sure that the Everyone group has Read
permissions.
2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control
permissions.
3. In the %windir%/registration folder, make sure that the Administrators group has Full
Control permissions.
4. In the advanced security properties of the .clb files in the %windir%/registration folder,
make sure that the Allow inheritable auditing entries from the parent to propagate to this
object and all objects. Include these with entries explicitly defined here option is selected.
5. Make sure that the Everyone group has one of the following permissions:
•Traverse permissions (“List Folder Contents”) on all parent directories, including
%systemdrive%, %windir%, and %windir%registration
•The Bypass traverse checking user right
To assign the Bypass traverse checking user right to the Everyone group, follow these steps:
1. Click Start, click Run, type gpedit.msc, and then click OK.
2. Expand Computer Configuration, expand Windows Settings, expand Security Settings,
expand Local Policies, and then expand User Rights Assignment.
3. Right-click Bypass traverse checking, and then click Properties.
4. Click Add User or Group.
5. Type Everyone and click ok
Fig 9: time generated when dcom error occurred in the system
8. 7
Event type-1001, BugCheck
System reboots itself showing A BLUE SCREEN due to KERNEL CRASH in Windows.
We can change some settings to let the system show the error message.
Right click the My Computer icon on the desktop and choose Properties. On the
Advanced table, click Startup and Recovery. In that dialog uncheck "Automatically
reboot".
Make sure you check "Write an event to the system log" and "send an
administrative alert".
In the Write Debugging Information section, choose
"Complete Memory Dump" from the drop list. Then the file path
is: %SystemRoot%MEMORY.DMP
Fig 10- Event id 17, source BTHUSB
The local Bluetooth adapter has failed in an undetermined manner and will not be used. The
driver had been unloaded.
9. 8
Fig 11- Event I D – 2505, server error display
The server could not bind to the transport Device<device name> because another computer
on the network has the same name. The server could not start.
Fig 12- Event ID -6008 and it’s a event log error
This occurs due to unexpected shutdown of the device previously.
Fig 13- Error occurred due to service control manager and event id-7023.
Service Control Manager (SCM) stops services and driver services. It also reports when
services terminate unexpectedly or fail to restart after it takes corrective action.
10. 9
Fig 13-The system detected an address conflict for IP address 192.168.1.10 with the system
having network hardware address E0-2C-B2-F2-50-CA. Network operations on this system
may be disrupted as a result.
Fig 14- Service control manager failure log on service. The SSDP Discovery service failed to
start due to the following error: %%1069
When a service does not start because of a logon failure or when you uninstall Windows
XP Service Pack 3 from your computer, you may receive either of the following error
messages in the system event log after you restart the computer.
This behavior can occur if you configure the service to log on to a user account, and
any of the following conditions are true:
The right to log on as a service is revoked for the specified user account.
The password is changed on the user account that the service uses to log on.
The password data in the registry is damaged.
11. 10
Warning events:
Fig 15- Obtaining all the warning events from system using event viewer
Fig 16- Querying for warning events using Log parser Lizard
.
Fig 17- Displaying 10 warning events from system for Event ID -1
12. 11
This Problem seem to be logged in the case that a VMWare software solution (like VMWare
Workstation or VMWare Server) is installed on a host inside a network where there is
already a DHCP-server configured. In most cases you can safely stop the VMWare DHCP-
service and use your own DHCP-service.
Fig 18- Event ID -1014, Microsoft windows dns client –Source
TCP/IP Offload is enabled for a network adapter
TCP/IP v6 is enabled and their ISP does not yet support TCP/IP v6.
The spanning tree “portfast" setting is not enabled on your servers switch ports.
Router and PC communicating on different channel or standard.
Method one: Disable RSS, Autotuning, and Taskoffload
1. Run the following command in an elevated command prompt in Windows 7:
netsh interface tcp set global rss=disabled
netsh interface tcp set global autotuninglevel=disabled
netsh int ip set global taskoffload=disabled
2. Disable the Scalable Networking Pack (SNP) in Windows 7 by changing the registry
settings as follows:
Perform a full-system backup before you disable the SNP.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters]
EnableTCPChimney=dword:00000000
EnableTCPA=dword:00000000
EnableRSS=dword:00000000
13. 12
If the registry keys do not exist, create them, and then assign the previous values.
Method two : Disable TCP/IP v6
To disable TCP/IP v6
1. Click Start, click Control Panel, click Network and Internet, and then click
View network status and tasks.
2. In the left pane, click Manage Network Connections.
3. Right-click Local Area Connection, and then click Properties.
4. In the pop-up box, clear the Internet Protocol Version 6 (TCP/IPv6) check box.
5. Click OK, and then restart your computer.
To enable Tcp IP
1. Follow steps 1 through 3 in the previous procedure.
2. In the pop-up box, select the Internet Protocol Version 6 (TCP/IPv6) check box.
3. Click OK, and then restart your computer.
Method three: Enable the spanning tree portfast setting in your router
This action varies depending on your infrastructure router. Consult your manufacturer for
further details.
Method four: Set you router and PC to communicate on same channel and standard manually
1. Go to your router admin page which should be 192.168.1.1 (confirm with
router manufacturer).
2. Navigate to Wi-Fi settings and choose a channel which should comply with your location,
for ex: 11. Save.
3. Choose Standard to broadcast Wi-Fi signal as G only not abgn, bgn, gn (If your router is N
capable and any PC in your home/office is only G ready). Save.
4. Go to your PC Network and Sharing Center (Windows 7) and Click on Change Adapter
Settings, select you Wi-Fi adapter, right click and choose Properties.
5. In pop up window select Configure, in next window click on Advance tab and browse
14. 13
settings there and choose same channel you choose in you router for ex: 11 and the same
standard as G not abgn, bgn or gn. Save and Exit.
Fig 19- An error was detected on device DeviceHarddisk1DR2 during a paging operation.
Fig 20- Event Id – 4229 and warning occurred from source – Tcp I P
TCP/IP when detects high memory utilization it terminates some existing system connections
to maintain stability.
Fig 21- Warning event occurred due to event id- 1073 from source- User 32
This is a warning event occurred due to user’s attempt to shut down or restarting the
computer has been failed. This issue occurs because the ExitWindowsEx function does not
handle the EWX_LOGOFF flag correctly.