Finding Event Logs Caused by an Action

Windows 10 1803 x2 - vanilla install, all commands run from elevated prompt

Ever want to find out what Windows Event Logs are created by a particular action? There doesn't seem to be an evtx diff utility, and being a binary format makes it somewhat difficult. Log Parser could probably do it, but as Richard Davis mentions, it's not widely used because the syntax can be a pain. With this in mind, I do believe there's probably a better way, but I went for a pretty strightforward approach.

  • Clear the logs
  • Do the action
  • Export the logs
  • See what's there!

Clear the logs

To start with, I want to clear all the logs, because I want to see related events for any given log file, not just system or security. This led to one very interesting discovery. There is a single log file, Microsoft-Windows-LiveId/Operational, that is restricted read only by default, even to an administrator. The fix to this is to grant administrator privileges to this log by running wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)[1]

With this done, we can clear all the logs using a quick for-loop[2]:

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
wevtutil.exe cl security
wevtutil.exe cl system

Note that I then cleared system and security again. This is because several events noting that other logs were cleared will be written to them during the loop, after system and security are cleared, so we want to clean those up one more time.

Do the thing / Export the logs

Next, and as quickly as possible, perform whatever action you want. As soon as it's done, export all the logs. Using a quick for-loop again, we can iterate through and export all the logs ("/rd:false" places the newest logs on top[3])

for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe qe "%1" /rd:false /format:text >> evt1.txt

Even though whatever action you took may have been reasonably quick, I ended up with 50 or so events, some of them unrelated. Windows is just noisy like that. My solution is to run this cleanup -> action -> export process several times, exporting each set as evt2.txt, evt3.txt, etc.

Find your events

We can use a quick bash for-loop (all hail WSL) to grab all the unique Event ID's from each file:
for i in $(seq 1 5); do grep 'Event ID:' evt$i.txt | sort -u > $i.grep; donewc
Then we find what event ID's all of these files have in common[4]
comm -12 1.grep 2.grep | comm -12 - 3.grep | comm -12 - 4.grep | comm -12 - 5.grep > common.txt
(BTW, comm is a wonderful utility, if you're not framiliar with it, read more)

Poke through the events

Some will still be unrelated, such as Event ID 104 and 1102, which relate to the system and audit log being cleared (our last actions when clearing the logs earlier). Some noise will make it through, such as a Windows Hello For Business and AppXDeployment events that just occurs often enough that they were seen across all demos. However, what I did manage to do was take the original 167 events across my 5 demos, narrow it down to 103 unique events. Further narrow that down to just 17 events that all occured during each demo, and reduce those to 12 events related to that one specific action, and 4 of those that were not just related, but super useful.

All with just a few command line arguments and for-loops.

  1. ↩︎

  2. ↩︎

  3. ↩︎

  4. ↩︎