JSI Tip 2812. Selectively erase events from the Security log?
September 7, 2000
There is no standard methods for accomplishing a selective erase in Windows NT 4.0 or Windows 2000.
WinZapper can.
I quote excepts from various documents:
What is WinZapper?
WinZapper is a tool with which you can erase event records selectively from the Security Log in Windows NT 4.0 and Windows 2000.
How do I use this tool?
Download the zip file and extract the files in it. Run winzapper.exe and mark the event records to be deleted, then press "Delete events and Exit". Next, reboot Windows to re-enable the event logging system. (You can't use the Event Viewer again before rebooting.)
Which OS's are supported?
Windows NT 4.0 and Windows 2000.
What if there is a problem?
Then check out the WinZapper FAQ. http://ntsecurity.nu/toolbox/winzapper/faq.shtml.
Warning!
There is a small risk that this program corrupts the event logs so they must be cleared completely.
This is an announcement of a new tool - WinZapper - for Windows NT 4.0 andWindows 2000, that can be used to selectively erase event log records in thesecurity log. As far as we know there exist no other tool that is able to dothis. WinZapper can be downloaded from:http://ntsecurity.nu/toolbox/winzapper/Further than only announcing this tool we would like to emphasize a fewimportant things:* WinZapper can only be used from an Administrators account, thus this has_nothing_ to do with any new security vulnerabilities in Windows NT / 2000.Please refrain from bashing MS about this!* There seems to be a common misconception out there that there is no way toerase individual event records in the security log. (The ordinary API to theevent logging system only allows clearing the whole log, and the log filesare locked by the OS.) This is not true, and now we have been able to showthis in practice.* There seems to be another common misconception out there that there is noway to write "fake" event records into the security log. This is not trueeither - any user with an Administrators account can inject completely madeup event records into the security log. Please remember this before usingthe log to point out offenders!* It would be trivial to extend WinZapper to work remotely like aclient/server system. Thus, this is _not_ limited to attackers havingphysical access!To sum things up: after an attacker has gained Administrators access to yoursystem, you simply cannot trust your security log! And as always, rememberthat attacker having that kind of access can do _anything_ to your system!Regards, Arne Vidstrom / The ntsecurity.nu team.http://ntsecurity.nu - providing unique freeware security tools for WindowsNT 4.0 / 2000
About the Author
You May Also Like