SP4 Event Log Service records new events in the system event log that are useful
in measuring operating system availability.
- NT Restarted Event ID: 6005
This is equivalent to Event ID: 512.
- Clean Shutdown Event ID: 6006
This means NT was not restarted until after the screen message It is now
safe to turn off your computer. Event Log Service records a clean shutdown
whenever an operating system shutdown is initiated via direct user interaction
using the Shut Down screen; Shutdown/Restart using Ctrl+Alt+Delete; Shutdown/
Restart using the Start Menu; or Shutdown/Restart using the Logon screen. Clean
shutdowns are also recorded if one of the following shutdown events happens
programmatically: InitiateSystemShutdown WIN32 API (local), or
InitiateSystemShutdown WIN32 API (remote).
- Dirty Shutdown Event ID: 6008
Event Log Service records a dirty shutdown event whenever the operating
system is shut down via a mechanism other than a clean shutdown. The most common
cause is when the system is power-cycled, i.e., NT is stopped by powering off
the system. The event is recorded upon the subsequent system reboot. While
Windows NT Server is running, the system periodically writes a time stamp to the
registry, which always overwrites the “last alive” time stamp from the previous
interval. When the “last alive” time stamp is written, it’s also flushed to
disk. A normal clean shutdown is also flagged in the registry. If the clean
shutdown flag isn’t found on disk when an SP4 system reboots, a dirty shutdown
event is recorded. The description part of the event contains the “last alive”
time stamp. The “last alive” time stamp is written to the registry at a default
interval of 5 minutes to
HKLM\Software\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp.
Adding the registry DWORD value TimeStampInterval can change the interval. This
value is in units of minutes. Setting it to zero prevents any “last alive” time
stamp logging, only the boot and normal shutdown stamps will be written in that
case.
- System Version Event ID: 6009
Event Log Service records a system version event containing the operating
system version information whenever the system is booted. This makes it easier
to post-process Windows NT system event logs by operating system version. For
example, we export the security logs into sql.
ID 6009 makes a good sort key for OS. Like ID 512, it lists OS version, build
number, and service-pack level. An important flag of intrusion is an event ID
577 which signals that the server’s time was changed. The combination of event
ID 577 with ID 512 or ID 6009 might be innocent but is a red flag that the
system time was changed to make the time between shutdown and reboot to look
short. Another event ID to pay close attention is security ID 612 which signals
that audit categories have been changed. You must enable auditing policy change
for this id to be recorded.
Prior to SP4, the recording of operating system crashes in the event log
(Save Dump events) was optional. By default, crash events were recorded but a
system administrator could disable this behavior in the System control panel by
clearing “Write an event to the system log when a STOP error occurs” on the
Startup/Shutdown tab. In SP4, the recording of crashes in the event log is
mandatory for Windows NT Server and can’t be disabled by an administrator. There
is no change for Windows NT Workstation; an administrator can still choose
either setting.
Other Event IDs:
ID 512 : System Restart
ID 517 : Security Log Cleared
Only
individuals with Manage Auditing and Security Log rights can clear the
security log.
ID 612 : Audit Policy Change
Event Log Tips:
Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files
Forensics:
CrashOnAuditFail
Restrict access to Application
and System event logs
Security Event
Descriptions
Security Events Logon Type
Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List
Frank Heyne has made
available a Windows NT Eventlog FAQ .
