Gaps in Security Log

by Mitch Tulloch [Published on 14 July 2005 / Last Updated on 14 July 2005]

You found a gap of several hours in your Security log, what does it mean?

You're reviewing the Security log on a Windows server and notice a 12 hour gap where there were no events logged. Could someone have hacked your server and tried to erase their tracks? Or was it simply a glitch of some kind, or a botched cover up of improper actions by another admin?

Start by looking at the events right at the end of the gap. Event 512 indicates that the server is booting up, so it may simply be that the server was down for 12 hours. Event 612 incidates that the audit policy on the machine was changed, usually by a GPO, so check and make sure that another admin hasn't done something they shouldn't have.

You might think that Windows Security logs are totally secure, but there's actually a free tool called WinZapper that let's someone with admin access erase any events they want to from the Security Log. One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see .

Latest Contributions

Featured Links