Windows 2k/XP Log Files

[Tiger Shark]

Spy: You need to turn auditing on for any auditing to be done by windows. The Local security policy is the place to do that or the Group policy editor if you are in an AD environment.

Your posts were suspicious by my level of suspicion. It's not a bad thing for me to be suspicious and it's not a bad thing for my suspicion to cause me to ask you questions.... If you have nothing to hide then you will have no problem with the questions.

Pooh: I'm getting Pm's and AP's too.... Funny that isn't it? How there is more than one viewpoint to an issue and people wither agree or don't....... Feel free to do things your way and I'll feel free to do things mine. I will sit comfortably knowing that I haven't helped some clueless skiddie to victimize your granny by giving out information to anyone who asks.

[pooh sun tzu]

If you have nothing to hide then you will have no problem with the questions.

Unless it comes off as rude. This is a forum about knowledge and asking questions, not a "show me some ID"

I'm getting Pm's and AP's too.... Funny that isn't it?

Getting friends to give you AP always helps, I'm sure. You sure won that important argument of the day, I tell you what.

I will sit comfortably knowing that I haven't helped some clueless skiddie to victimize your granny by giving out information to anyone who asks.

My thanks for looking out for granny. Oh, and remember your granny as well, for the exploit code and revisions passed on via BugTraq and MS Bugtesting, tested by greyhats, so her good old windows computer would be running safe.... didn't come from you nor any other 'paranoid-snobbed-whitehat=user'

As you saw in the last two posts, he does not want your opinion because you were rude. I do not want your opinion because you are ignorant to the larger process. Me and him will continue sharing information, so follow your own words, and sit comfortably instead of typing an argument out.

[Tiger Shark]

Pooh:

Getting friends to give you AP always helps

Ahh.... nice...... Accusing me of an AP alliance...... Time to grow up young man.

'paranoid-snobbed-whitehat=user'........ he does not want your opinion because you were rude. I do not want your opinion because you are ignorant to the larger process.....

You show yourself for what you are pooh...... Your intellect has expired so your insults kick in. While it is a familiar pattern for the inadequate to turn this corner I really did think better of you. I guess I should have realized when you first negged me that this would be the probable outcome. There has been an overwhelming pattern to the private contacts I have had from others regarding you that have proven true. Pooh, is always right. Everyone else is wrong. Pooh always has to have the last word is the general concensus. These are clearly smart people for they have proven themselves to be right. And before you accuse them of being "my friends" again I don't believe I have _ever_ had private contact with any of them previously.

Now.... The floor is yours to have the last word and tell me just how right you are and how wrong I am...... Then feel free to trot along and not bother me in the future......

You have proven that you do not reach my standards......

Bye now......

[AngelicKnight]

Ok guys, I have the end-all solution to this debate at hand: If you're "paranoid", don't answer the question. If you aren't, do answer the question. There ya go!

What Pooh and Tiger have so well demonstrated is that every security guru is going to have his/her own philosophy. Neither point of view is necessarily right or wrong, but comes from the shaping of experience. Despite my own lack of experience thus far, I've had enough to understand both viewpoints. Tiger, keep being paranoid, and Pooh, keep being generous, and as long as you let each other handle things your own way, things'll work without a hitch. Maybe you two are here to balance each other out in some greater AntiOnline fate.

But as long as each of you tries to convince the other to the opposing viewpoint, it'll just go on and on while the rest of us are left asking "What was the question again?"

On another note, it's important for newbies to understand that truth is, more of us are highly paranoid than not, and should learn to expect the sketpical prodding questions without taking it personally. Don't be offended by them, just accept them as normal and keep asking your questions, and learn from what causes the vets to ask these questions in the first place. That is a valuable lesson. I learned that quickly as a newbie, and am actually suprised some of my own questions haven't been scrutinized yet.

[Spydrpop]

AngelicKnight is the standard problem solver.

And thank you Pooh for the previous reply.

[DjM]

Originally posted here by pooh sun tzu
Getting friends to give you AP always helps

Pretty serious accusation pooh, and your proof of this is where........................


Cheers:

[pooh sun tzu]

And thank you Pooh for the previous reply.

Welcome Let me know if you need anything else

[Soda_Popinsky]

Getting friends to give you AP always helps, I'm sure. You sure won that important argument of the day, I tell you what.

I feel I have to defend Tiger here, I have only seen Tiger show some serious knowledge about what he is doing. He has my complete respect.

Not to say I don't respect you pooh, I felt what you did with the Windows "wargame" was pretty neat, and your tut's aren't too shabby either.

About the blackhat whitehat argument, I feel like I side more towards Tiger. I don't feel comfortable helping out someone when instinct tells me their intentions are malicious. Honeypots are used to investigate the 0-day tactics of the blackhat community, and greyhats are there to find them before blackhats do.

Me personally, I couldn't find an exploit with a map. So my arguments don't come with very much credibility. I'm just babbling now.

All done.
Soda

[avenger_jcc]

Albeit one of the better pissing contests Ive ever seen...Enough is enough guys. 2 pages ago, you said you were done with this thread. Let it GO already! sheesh
Its way off topic. Chalk me up to paranoid... I wont help a "improperly worded question".
Had he said "Im just curious how I might investigate intrusion attempts on my PC/network, and if I was comprimised, where might I find log files reflecting file transfers..." Or something to THAT affect, it sure works a lot better than his shady-as-hell "Suppose I did this, and then I wanted to do this, and how would one cover that up?" <-- my summary of his original question
YES IT SOUNDS LIKE A PLANNING QUESTION! It screams ANYTHING but help me learn about security. That was my read on it, and that is why (and will ALWAYS generate the same response) it got the response it did. Someone will always help these "eager young minds" to learn. But if it sounds malicious and Im going to be mopping up more "zero-day" activity later... no thank you. Some of us out here actually run businesses off our boxes. We dont want them turned into some kiddys toy.

Now dont bother (any of you) getting all high and mighty on me. The bottom line is I could care LESS about what you all think I SHOULD have replied like. This was my decision, and no one is going to make me less paranoid. I mean come on thats like saying, so? he sounded ok to me. YEp sure... And Mr. Atta was just another passenger on the plane....

Enough said. Like I said, exersize some restraint in telling me how and what to post. responses to this will go undefended, unanswered. Im just feeling the need to get above a pissing contest. Hopefully one of the nice mods will come along, after they are done laughing at a post that turned into a weed, and lock it up.

[lepricaun]

the logs are stored in three files in xp and 2k:

security:
c:\winnt\system32\config\SecEvent.evt
c:\windows\system32\config\SecEvent.evt

applications:
c:\winnt\system32\config\AppEvent.evt
c:\windows\system32\config\AppEvent.evt

system:
c:\winnt\system32\config\SysEvent.evt
c:\windows\system32\config\SysEvent.evt

**EDIT** got this in reply to the first page, haven't saw the others yet **EDIT**