1

Dump Event Log (Dumpel)

• Dumpel.exe–Retrieves information from Windows Event Log

–Appropriate OS auditing policies must be defined

–At least three logs available: application, security, system.

2

Dumpel (2)

dumpel –l security –s \\server –c –d 1 –f sec.csv

• Choose a log to retrieve (required)-l [security | application | system]

• Choose delimiter (-c)-c = comma -t = tab default =

whitespace

• Choose number of days to retrieve -d NN where NN is an integer > 0

• Choose server and output file-s \\server -f filename.txt

3

Dumpel (3)

• Limiting by Source (-m SOURCE)– LSASRV -l application -m LSASRV– Security -l security -m security

• Retrieve specific information (-e NN)– Failed logins (-l security -m security -e 529)– Object access (-l security -m security -e 560)– Shutdown (-l security -m security -e 513)

• Inverting the query (-r)– Retrieves everything EXCEPT what matches the

limitations specified by other parameters.

4

SC (Service Control)

• Single serviceC:\>sc \\server query service

• All servicesC:\>sc \\server query

• Running services C:\>sc \\server query state=

• Stopped services C:\>sc \\server query state= inactive

• Export to a text file C:\>sc \\server query > filename.txt

5

Reg

C:\>reg

REG Operation [Parameter List]

Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ]

Return Code: (Except of REG COMPARE)

0 - Successful 1 - Failed

For help on a specific operation type:

REG Operation /?

6

Reg Query Operation

• Reg operations add, change, save or display registry content

• Type ‘reg operation /?’ for context-sensitive help

• ‘Query’ operation outputs registry contents in text format and works on remote systems

• Syntax:– REG QUERY [\Machine\]FullKey [/v ValueName

| /ve] [/s]

7

Reg Query Examples

• Query locally-installed softwareC:\>reg query HKLM\software

• Query locally-installed software, including all subkeysC:\>reg query HKLM\software /s

• Query hardware on a remote serverC:\>reg query \\server\HKLM\hardware

• Query user profiles on a remote serverC:\>reg query \\server\HKU

8

Addusers

• Addusers_x86 \\server /d filename.txt – Run as administrator– To change the delimiter, add /s:x,

where x is the character used to separate the fields

– Change /d to /d:u to put the output in Unicode

• Can also create, modify, and delete accounts.

9

Importing Data into a Spreadsheet

• To make the output easier to read:– Open empty sheet in Excel– Go to Data/Import External Data/Import Text

File…– Select Delimited, then choose delimiter and

‘Treat Consecutive delimiters as one’– Click Next, Finish, OK to finish

10

Data in Excel