Event Viewer – Error – “MMC cannot open the file C:\Windows\system32\eventvwr.msc”

Background

On one of our MS Windows Systems, I  have been Unable to use Event Viewer.

Error

Error Image

MMCCannotOpenTheFile.PNG

Error Text

MMC cannot open the file C:\Windows\system32\eventvwr.msc.

Remediation

Outline

  1. Launch Microsoft Management Console ( MMC.exe) shell
    • mmc.exe
  2. In new empty shell
    • Add Event Viewer SnapIn
      • From the “Available snap-ins”
        • Select “Event Viewer”
      • Click Add Button
      • SnapIn should appear under “Selected Snapins”
    • Save Console
      • Save Console under a new name
  3. Launch new MMC Console
  4. Once happy
    • Once happy, return to MMC and overwrite original Event Viewer

Image

New Empty Shell

Console.MMC.01.PNG

Select Computer

Console.MMC.03.SelectComputer.20190425.0153PM.PNG

Add or Remove Snap-ins

Console.MMC.02.AddAndRemove.20190425.0152PM.PNG

Save SnapIn

Save SnapIn – Save As – 01

OSDesktop.Windows.System32.saveAs.20190425.0256PM

Save SnapIn – Save As – 02

OSDesktop.Windows.System32.saveAs.20190425.0258PM.PNG

BFGuard – Day 2

Background

In this post we actually start BFGuard and try to connect to the host from other workstations.

 

Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time

 

Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time

 

BF Guard – Application – Log entrys

Explanation
  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes

 

BF Guard – Application – Blocked IP

Explanation
  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked

 

OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.

 

Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625
Image

 

Explanation
  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon

 

OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.

 

Explanation

  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes

 

Summary

Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.

 

BFGuard – Day 1

Background

Googled online to identify steps to take for securing MS Windows Terminal Services.

One of the tools mentioned is BFGuard.

BFGuard

What is BFGuard?

BFGuard stands for “Brute Force Guard”.

How does it work?

It principally monitors the local machine’s event log.  The relevant log file in this case is the “Security Log“.

Upon finding entries that indicate failed logins correlative data is gathered.  Obvious correlative data includes username and IP Address.

Once the configured maximum number of failed attempts are reached the specific IP Address is blacklisted.

Download

Please download the free tool from here.

Screen Shots Please

Log Entries

BFGuard_Free_LogEntries_20170615_0629AM

Blocked IP

BFGuard_Free_BlockedIP_20170615_0633PM

WhiteList

BFGuard_Free_WhiteList_20170615_0635AM

Statistics

BFGuard_Free_Statistics_20170615_0638AM

Functionalities

From the screen shots here are the functionalities offered:

  1. A listing of “Blocked IPs
  2. Ability to whitelist specific IP Addresses
  3. Statistics on each connected IP Address

 

Summary

Wanted to introduce the product.

In the days ahead we will revisit and update our post.

Technical : Microsoft – Event Log / Event Viewer – Query via PowerShell

Technical : Microsoft – Event Log / Event Viewer – Query via PowerShell

Introduction

After my fiasco of not paying attention to my Event Log, I need a quick way to aggregate Event Log entries and here is what I came up with through curating Google web postings.

Code



# PowerShell example which groups event then sorts in descending order.
Clear-Host

$logName = "System"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName  | `
where-object { $_.timecreated -gt $date  -and $_.levelDisplayName -in "Critical", "error", "warning" } | `
Group-Object ProviderName, levelDisplayName, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto

Output:

EventLogAggregator

Conclusion

And, yes I have too much time on my hands, and not enough brains; as I need Splunk, Nagios, or System Center.

Addendum

Addendum – 2014.01.20

Tried the code above on an MS Windows Vista Machine, but unfortunately it failed.

The original code was developed and targeted an MS Windows 2012 box.

The error message we got on the Vista box read:


You must provide a value expression on the right-hand side of the '-' operator.
At C:\temp\eventvwr.ps1:16 char:68
+ where-object { $_.timecreated -gt $date  -and $_.levelDisplayName - <<<< in "
Critical", "error", "warning" } | `
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : ExpectedValueExpression

To Correct:



# PowerShell example which groups event then sorts in descending order.
Clear-Host

$logName = "System"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

$logLevel = @("Critical", "Warning", "Error")
$logLevelCritical = "Critical"
$logLevelWarning = "Warning"
$logLevelError = "Error"

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName  | `
where-object {   ($_.timecreated -gt $date)  `
                 -and ( `
                       ($_.levelDisplayName -eq $logLevelCritical)  `
                   -or ($_.levelDisplayName -eq $logLevelWarning)   `
                   -or ($_.levelDisplayName -eq $logLevelError)     `
                      )  } | `
Group-Object ProviderName, levelDisplayName, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto

References

Event Log

WMI

Mac OS/X – Reading Microsoft Windows Event Log file (*.evtx) files

Prelude

As always, it is one inter-operability problem or another.

I need to send Windows Event Viewer Log files (*.evtx) to a colleague whose primary work computer is a Mac OSX.

Options

So what to do, tried using the App Store.

App Store - evtx

But, got no help.

Next goggled for help.

Found a gem in:

Cross-platform Windows Event Log viewer
Link

which led me to :

Windows Event Log Viewer (evtx_view)
Link

tried to install the version for OSX (evtx_view.v.0.69.osx.tar.gz), but the system barked at me, that I needed X11 server and client libraries for OS X Mountain Lion.

Which in turn led me to XQuartz project: Link. You should use XQuartz version 2.7.2 or later.

So please go ahead to http://xquartz.macosforge.org/landing/ and download XQuartz-2.7.4.dmg.

X Quartz

Thanks goodness that the version# is part of the dmg file’s name.  And, that version# is 2.7.4.  We needed at minimum a 2.7.2 and so this particular version should be sufficient.

Install XQuartz-2.7.4.dmg

The install base is quite big; about 200 MB.

XQuartz 2.7.4 Installer

So this installs several utilities, including:

  • An XWindows sub-system (that allows Unix type applications to be used on a Mac)

When we tried running the App (evtx_view):


./evtx_view

We received an error message stating:


FXApp::openDisplay: unable to open display :0.0

So what to does that error mean. Goggled and shouted for help and was able to determine that Xwindows needed to be installed and running.

To initiate an X-Windows Session, the best help I found are:

Installing FXRuby on OS X (Matthew Bass)
Link

You should see an error message that looks something like this:

FXRbApp::openDisplay: unable to open display :0.0
It means your X11 terminal isn’t running. You can find it in /Applications/Utilities. Double click to launch. If you roll with Quicksilver, you should be able to type in X11 and launch it that way. Once launched, run the Ruby script again and you should see a tiny window with the title “Hello World.”

But, since X Windows support on Mac is now an Open Source project, you want to look for /Applications/Utilities/XQuartz

XQuartz

Once XQuartz is running, please go back and run evtx_view


./evtx_view

And, you should now see a running XApp App.

EventLog viewer

And, yes we are able to read MS Windows Log Files on Mac OS/X via this free rool evtx_view.  But, I am a bit put-back that the visually it is a bit lacking.

But, that only means that the data format is XML or at least published and well understood and that the display just needs to be worked-on.

References:

  • Cross platform Windows Event Log Viewer
    Link
  • Event Log File Viewer
    Link
  • About X11 and Mac OS
    Link
  • XQuartz
    Link
  • How to run X 11 apps on the Mac
    Link
  • Using X11 in Mountain Lion
    Link