Gaps in Security Log

by Mitch Tulloch [Published on 14 July 2005 / Last Updated on 14 July 2005]

You found a gap of several hours in your Security log, what does it mean?

You're reviewing the Security log on a Windows server and notice a 12 hour gap where there were no events logged. Could someone have hacked your server and tried to erase their tracks? Or was it simply a glitch of some kind, or a botched cover up of improper actions by another admin?

Start by looking at the events right at the end of the gap. Event 512 indicates that the server is booting up, so it may simply be that the server was down for 12 hours. Event 612 incidates that the audit policy on the machine was changed, usually by a GPO, so check and make sure that another admin hasn't done something they shouldn't have.

You might think that Windows Security logs are totally secure, but there's actually a free tool called WinZapper that let's someone with admin access erase any events they want to from the Security Log. One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running.

See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links