Windows Event Log default Path: %systemroot%\system\winevt\Logs
-
Use commands to gain the event log
Wevtutil.exe: retrieve information about event logs and publishers. It can also be used to install and uninstall manifests.
- Read
wevtutil.exe qe Security /f:text /rd:true /c:10: gain the latest 10 rows in security event logs. - Export
wevtutil.exe epl Security 1.evtx: export the whole security event logs to 1.evtx - Export with modification
wevtutil epl Security 1.evtx "/q:*[System [(EventRecordID!=1112)]]": exprot the security event logs to 1.evtx without evnet 1112
- Read
-
Several methods to replace the original logs with the modified one
Method 1: Unlock the original file
Method 2: Injection Loader Dll
Method 3: DuplicateHandle
-
The whole flow
Source of the whole cpp file
The problem: how to run the cpp file in the windows without compiler