NT Gatekeeper: Deleting Specific Event Viewer Log Entries

Does the Windows NT 4.0 Event Viewer (or some other Microsoft or third-party product) provide a way to delete specific Security log entries? Can intruders use such a utility to cover their tracks?

You can use WinZapper, a free utility that you can download from Arne Vidstrom's Web site (http://www .ntsecurity.nu/toolbox/winzapper), to remove specific Event Viewer Security log entries. To delete a log entry or set of log entries, select the entry or entries, as Figure 2 shows, then click Delete events and Exit. (You can use the Shift or Ctrl keys to select multiple entries.) The utility deletes the entries when you reboot the system.

If you accidentally delete entries, WinZapper provides a way to restore your original data. When the program runs, it automatically creates a backup of the original Security log file. This backup file is called dummy.dat and resides in the \%systemdrive%\ winnt\system32\config folder, which also contains all other Event Viewer log files. To retrieve your original Security log entries, rename or delete the file secevent.evt and rename dummy.dat to secevent.evt.

To run the utility, you need administrative access to your system. Therefore, intruders can use the program to cover their tracks only if they have access to your system's Administrator account. Still, you should use WinZapper with care: The utility regularly corrupts event-log files, and when you use the program to delete an entry, the event-log system becomes unusable until you reboot the system. (For tips about protecting your NT Administrator accounts, see "NT Gatekeeper," March 2001. For more information about WinZapper, see Randy Franklin Smith, "Avoiding WinZapper's Sting," http://www.secadministrator.com, InstantDoc ID 15674.)

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.