8thString

How to determine when was the last time the machine was rebooted from exported System Windows Event log Exported System Windows Event log provides a ton of useful information for digital forensics. One useful information that might be of importance is knowing when was the last time that the machine was (re)started.  To find when it was last (re)started, sort on the Date and Time column and then look for Source is Kernel-General and EventID is 12 , see below for reference. REF:3

Using Microsoft Log Parser for analysing log files Date: 8/23/2020 Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. The application has not been updated since April 20, 2005 but it is still quite useful for analyzing log files. See link below for the download location https://www.microsoft.com/en-us/download/details.aspx?id=24659 Example queries Show me the latest 10 reboots of the local machine.  logparser "SELECT TOP 10 * FROM System WHERE (EventID = 12) AND (SourceName = 'Microsoft-Windows-Kernel-General') ORDER BY RecordNumber DESC" -i:EVT Show me the latest 10 reboots of the local machine and save the result to a reboot.csv logparser "SELECT TOP 10 * INTO C:/X/reboot.csv FROM System WHERE (EventID = 12) AND (SourceName = 'Micro

Loading exported Windows Event log using Event Viewer application will display the time based on local time. To determine the timezone of the log file look for Event ID 6013 from source/provider EventLog on the seventh data element, see below for reference. Another thing to note is that you have to consider daylight savings time (DST). In the above example, the timezone is 360 Central Standard Time or UTC-6 but due to DST, instead of adding 360 minutes to the stored time, you have to use 300 or UTC-5.  REF:1

Running a task when a specific event is logged in Windows Event Log can be very useful when monitoring critical events. For example, you can run a task that sends out an email when an event is logged related to network interface is down. Of course, this will only be useful if the machine is multi-homed. Anyway, hopefully you get the idea.  Scenario: Run a task when a message “Hello world” is logged to 8thstring log location and the source is 8thsource . It might make sense to see this blog for reference.  Steps: Open Task Scheduler ( taskschd.msc /s ) Create a task Name it like TestRunTask Under Triggers tab, select New... In the New Trigger window, select On an event for Begin the task , then select Custom and finally click on New Event Filter... In the New Event Filter window, select XML tab then enable Edit query manually You can use the XML fragment below as reference < QueryList >   < Query Id = "0" Path = "8thstring" >     < Select Path

This actually applies to any application but most applicable for COM/DCOM servers and Windows services.  For example, to debug Notepad application remotely or on another session add the following to the registry on the target computer.  c:\> reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe" /v debugger /t REG_SZ /d "\"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe\" -server tcp:port=5500 -g -G" /f  When Notepad.exe is run it will automatically be attached to a debugger (cdb). To connect to the cdb session using WinDbg, do  c:\> "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -remote tcp:server=localhost,port=5500 ~ts

Windows Event Log is a convenient event store to log information. Once data is in Windows Event log it can be correlated with other information on the system.  There two basic steps to do this: Create log location and source Write log information into that location and source To create log location and source, do: PS C:\> New-EventLog -LogName 8thstring -Source 8thSource Where: 8thstring is the log location 8thSource is the source You have to run this on an elevated PowerShell session. And if you have Windows Event Viewer open, you have to close it and re-open to see the new log. This should show up under Applications and Service Logs .  To write to that log location and source, do: PS C:\> Write-EventLog -LogName 8thstring -Source 8thSource -Message "Hello world" -EventId 0 -EntryType information Where: -LogName 8thstring //8thstring was created using New-EventLog above -Source 8thsource //8thSource was also created as part of New-EventLog call above - Mess

USB/IP Project aims to develop a general USB device sharing system over IP network. To share USB devices between computers with their full functionality, USB/IP encapsulates "USB I/O messages" into TCP/IP payloads and transmits them between computers. A fork of USB/IP client on Windows is located here . Getting this forked version to work with Windows Sever 2008 R2 is not straightforward. I have documented below how I was able to get it to work 2008 R2. Download 0.1.0 (https://github.com/cezanne/usbip-win/releases/tag/v0.1.0), download all into a directory excluding source* Remember to unblock the files Save to c:\usbip Download x64 build for Win7 (https://github.com/cezanne/usbip-win/files/4743857/usbip_vhci_v0.1.0_win7_x64.zip) Unblock the zip file Extract Copy the files and overwrite files in c:\usbip Allow running non-validated driver bcdedit.exe /set TESTSIGNING ON Restart computer Import certificates manually Run mmc.exe File | Add/Remove Snap-in… In Available snap-ins