DFIR blog: Windows Event Log forensics & .evtx parsing
Short notes on the Windows Event Log binary format, common forensic event IDs, and triage workflows.
4663 is the per-access object-audit record. Configure SACLs on the right files and keys and you get a per-byte log of who touched what — useful for ransomware, exfil, and credential-store theft.
4672 fires whenever a logon is granted sensitive privileges like SeDebugPrivilege or SeTcbPrivilege. Read it as the 'this logon is admin-equivalent' signal and the rest of your audit policy falls into place.
4688 is the base-OS process create record — provided command-line auditing is on. Here's what's in it, how it differs from Sysmon 1, and the triage patterns that earn their keep.
4720 fires every time a user account is created — locally or in AD. Read it with 4722/4724/4732 and you spot persistence and lateral-movement accounts within minutes.
4768 is the DC's record of every TGT issued. Read it through the result code and pre-auth flag and you spot AS-REP roasting, brute force, and unconstrained-delegation abuse.
4769 is the DC's record of every service-ticket request. Read it through the encryption type and you spot kerberoasting; read it with 4768 and you spot pass-the-ticket.
7036 fires every time a service starts or stops. Paired with 7045 it confirms whether persistence actually ran — and on its own it reveals service abuse, defense evasion, and boot anomalies.
Five ways to open a Windows .evtx file — in your browser, in Event Viewer, with wevtutil, with EvtxECmd, or with python-evtx. Pick by host OS and how much friction you can stomach.
An .evtx file is a binary Windows Event Log. Where they live, what's inside one, how they differ from .evt, and how to open them — without installing anything.