Event Log Clearing/Manipulation
Description: Refers to attempts to delete event records from the Windows Event Logs (
.evtxfiles) to remove evidence of specific actions (like time changes, service manipulation, errors potentially caused by cheats, security events).Mechanism:
Event Viewer GUI: Manually right-clicking on a specific log (e.g., Security, Application, System) and selecting "Clear Log...".
wevtutil.exeCommand: Using the command-line toolwevtutil cl LogName(e.g.,wevtutil cl Security,wevtutil cl Application). Requires admin privileges.Stopping the EventLog Service: Using
sc stop eventlogornet stop eventlog(requires specific permissions) prevents new events from being logged while stopped.Advanced Tampering: More sophisticated methods might involve directly manipulating
.evtxfiles offline (difficult) or using tools like PsExec to disconnect specific log channels (also complex and rare in typical SS scenarios).
Why Cheaters Use It: To erase records of actions like system time changes (ID 4616), USN Journal deletion (ID 3079), service stops/starts (ID 7036), application crashes (often ID 1001/1002), or potentially security events triggered by their tools.
Detection: Windows has built-in mechanisms to log the clearing action itself:
Security Log Clearing: Clearing the Security log generates Event ID 1102 within the Security log itself before the clear operation completes. Finding this event is definitive proof the Security log was intentionally cleared.
Other Log Clearing: Clearing other logs (Application, System, Setup, etc.) generates Event ID 104 in the System log, indicating which specific log was cleared.
Stopped EventLog Service: Finding the
eventlogservice stopped viasc query eventlogis highly suspicious. The System log (Event ID 7036) should also show the service entering the stopped state.Gaps in Logs: Unexplained chronological gaps in event logs can sometimes suggest clearing or manipulation, but require careful analysis to distinguish from normal system behavior or configuration.
Last updated