Tuesday, October 31, 2006

On Windows Event Logs

This post is devoted to the masters of complexity from Redmond :-)

Basically , "there are 7 events associated with object access auditing in Windows." The blog post by Eric Fitzgerald sheds some light on on Windows object access event logs.

The most curious thing is the part where the complexity of the audit is explained. The quite is:

'You might ask, “Well, Eric, why don’t you just get rid of all that junk and just log an event that says what Word did?”.

Good question. As I mentioned in my post on “Trustworthiness in Audit Records” [which I will blog about soon :-) - AC], the only practical way to do that would be to instrument Word for audit, and then the audit trail would be exactly as reliable as the user using Word, because if Word can write to the audit trail, and Word is running in the user’s context, then the user can write to the audit trail.'

Did you get it?

Dr Anton Chuvakin