Key Event Logs and IDs for ScreenSharing

Filtering by specific Event IDs is the most efficient way to use Event Viewer during a screenshare. Right-click a log (e.g., Security) -> "Filter Current Log...".

  • System Time Change (Security Log):

    • Event ID: 4616

    • Log: Security (Security.evtx)

    • Description: Records instances where the system time was changed.

    • Context is Key: Examine the "Process Name" or "Process ID" fields within the event details. Changes initiated by svchost.exe (often related to services.exe) might be legitimate network time synchronizations. Changes initiated by cmd.exe or powershell.exe strongly indicate a manual time change by the user, which is highly suspicious during or shortly before gameplay/SS.

  • Audit Log Clearing (Security Log):

    • Event ID: 1102

    • Log: Security (Security.evtx)

    • Description: Explicitly records when the Security log itself was cleared. This action requires administrative privileges and is almost always performed manually by someone trying to hide security-related activities. Finding this event is a very strong indicator of malicious intent or tampering.

  • USN Journal Deletion (Application Log):

    • Event ID: 3079

    • Log: Application (Application.evtx)

    • Source: Often fsutil or related components.

    • Description: Indicates that the USN Journal for a specific volume (drive letter usually mentioned) was deleted (e.g., via fsutil usn deletejournal). This is a direct attempt to erase the filesystem activity history.

  • Log File Cleared (Non-Security):

    • Event ID: 104

    • Log: System (System.evtx)

    • Description: Records when other event logs (like Application, System, Setup, or custom logs under "Applications and Services Logs") were cleared. This event is not generated for clearing the Security log (which uses 1102). Clearing logs like Application or System can still be suspicious depending on context.

  • EventLog Service Stop/Start (System Log):

    • Event ID: 7036

    • Log: System (System.evtx)

    • Source: Service Control Manager

    • Description: Logs when services enter running or stopped states. Filtering for "eventlog" in the message text can show if the core logging service itself was stopped and restarted, indicating potential tampering.

PreviousChecking the EventLog ServiceNextKey Considerations for ScreenSharing

Last updated