±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35896
New Yesterday: 1 Visitors: 175

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 7 Event Log Help

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Matrix
Member
 

Windows 7 Event Log Help

Post Posted: Mar 02, 15 07:01

I am looking at the Microsoft-Windows-Application-Experience%4Program-Inventory event log from a Windows 7 system. Normally this log would contain EventID codes of 900, 901, 903, 904, 905, 906, 907, and 908. This system’s log only contains EventID code 800. Each of these EventID 800 contain an Exit code. These exit codes are 200, 221, 223, 228, and 400.

Does anyone know the meaning of each of these exit codes? The exit code of 200 and 400 seem to denote that the number of programs, add-ons, and new installations has been reset to zero.

Any assistance is greatly appreciated.  
 
  

keydet89
Senior Member
 

Re: Windows 7 Event Log Help

Post Posted: Mar 05, 15 17:50

 
  

zoltandfw
Member
 

Re: Windows 7 Event Log Help

Post Posted: Mar 12, 15 08:30

This is probably the most complete exit code list I've ever seen, but even this one only has explanation of 200 and not the others you've listed. Since exit codes related to same type of error condition for codes starting with the same digit, I would guess that all the 2.. codes are code segment related errors. I hope, this will help.

www.symantec.com/conne...escription  
 
  

athulin
Senior Member
 

Re: Windows 7 Event Log Help

Post Posted: Mar 12, 15 23:40

- Matrix
Does anyone know the meaning of each of these exit codes?


They seem to be undocumented.

The exit code of 200 and 400 seem to denote that the number of programs, add-ons, and new installations has been reset to zero.


I interpret the log entry differently. It looks more like it says 'I could not find any updates etc. to be performed, so none (0) of these activities (as listed) were performed in this session.'

I can't identify what the difference between 200 and 400 is, though.  
 
  

athulin
Senior Member
 

Re: Windows 7 Event Log Help

Post Posted: Mar 13, 15 00:27

- zoltandfw
This is probably the most complete exit code list I've ever seen, but even this one only has explanation of 200 and not the others you've listed.


There's also: msdn.microsoft.com/en-...85%29.aspx

However keep in mind that system error codes and exit codes do not need to be the same thing.

System error codes are mainly used inside programs, and are used to identify an error from a windows system API call by severity, custom error or not, facility etc.

Exit codes are (at least where I have encountered them) the parameter that GUI software pass on to the WM_QUIT message, or other software return from the WinMain() function.

A bit like the difference between parameter to exit() and the variable errno in unix.

Noone stops a programmer from passing a system error code to exit/WM_QUIT, but general practice keeps them apart.  
 
  

zoltandfw
Member
 

Re: Windows 7 Event Log Help

Post Posted: Mar 13, 15 05:42

Since you had an EventID 800, does that mean that you have a DNS server running on this system? Based on athulin's great MSDN reference, it seems like if a zone transfer or update did not succeed due to segment fault, too large file size, file not being accessed properly for writing.

Is someone "messing" with your DNS config?  
 
  

keydet89
Senior Member
 

Re: Windows 7 Event Log Help

Post Posted: Mar 13, 15 17:26

- zoltandfw
Since you had an EventID 800, does that mean that you have a DNS server running on this system? Based on athulin's great MSDN reference, it seems like if a zone transfer or update did not succeed due to segment fault, too large file size, file not being accessed properly for writing.

Is someone "messing" with your DNS config?


It looks as if you're referring to this:

technet.microsoft.com/...10%29.aspx

That's a different log file entirely from what the OP was asking about.

Most analysts don't realize that you can't just say "event ID 800" and have it mean the same thing to everyone; many event IDs have different entries in different Windows Event Log/*.evtx files.

Take a look at Corey's blog post:
journeyintoir.blogspot...t-log.html

Same event ID (800), but different log file, and completely different context.

This is why I've been recommending that event records be referred to as source/ID pairs...maybe one day, that'll catch on.  
 

Page 1 of 2
Page 1, 2  Next