Wednesday, November 6, 2013

Daily Blog #136: Using Win 2008 server task scheduler logs to identify interactive logins

Hello Reader,
            In a prior Sunday Fundays we've talked about tracking logins to a Windows Server 2008 system and in each case I saw the normal security event log entries referenced. Today I wanted to expand on that knowledge with something I found in a case a couple years ago and mentioned in a Sunday Funday answer post, tracking logins with Task Scheduler logs.

You can find the Task Scheduler log in the event viewer GUI under:
Application and Services Logs -> Microsoft -> Windows - > TaskScheduler -> Operational

and on the disk under:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx

The log is separated from the other Windows event logs which is very helpful as it prolongs the lifespan of the logs compared to prior versions of Windows servers. Inside the event log you'll find a log for each execution of a scheduled task here which is useful in its own right if you are looking for bad actions from malware or a user. In addition you'll find EventID 119, 'Task triggered on logon'. The reason this event entry is so useful is that by default there are tasks that get executed on every interactive logon so these event entries should show up for every interactive session without any configuration or additional security needed.

The event entries look like this:

While the timestamp of 2:27:58PM is not going to be the exact second the user authenticated it is triggered soon after.

I use these logs to get farther visibility into who has logged in than the security event logs normally host but they don't reveal the IP address of the user.