Windows System Logs

Question 1

Event ID 1074

Answer 1

(System Shutdown/Restart): This event log indicates when and why the system was shut down or restarted. By monitoring these events, you can determine if there are unexpected shutdowns or restarts, potentially revealing malicious activity such as malware infection or unauthorized user access.

Question 2

Event ID 6005

Answer 2

(The Event log service was started): This event log marks the time when the Event Log Service was started. This is an important record, as it can signify a system boot-up, providing a starting point for investigating system performance or potential security incidents around that period. It can also be used to detect unauthorized system reboots.

Question 3

Event ID 6006

Answer 3

(The Event log service was stopped): This event log signifies the moment when the Event Log Service was stopped. It is typically seen when the system is shutting down. Abnormal or unexpected occurrences of this event could point to intentional service disruption for covering illicit activities.

Question 4

Event ID 6013

Answer 4

(Windows uptime): This event occurs once a day and shows the uptime of the system in seconds. A shorter than expected uptime could mean the system has been rebooted, which could signify a potential intrusion or unauthorized activities on the system.

Question 5

Event ID 7040

Answer 5

(Service status change): This event indicates a change in service startup type, which could be from manual to automatic or vice versa. If a crucial service’s startup type is changed, it could be a sign of system tampering.