WLS 3.2 – new process creation data: ConsoleProcessId, SessionId, WindowStation


WLS 3.2 introduces a few new pieces of data for process creation events.

ConsoleProcessId

A process can define an associated console process. The value, if provided by the process, is logged.

[host] Security: LogType=”WLS”, BaseFileName=”cmd.exe”, Channel=”Security”, CommandLine=”‘C:\Windows\system32\cmd.exe'”, CompanyName=”Microsoft Corporation”, Computer=”[host].[domain]”, ConsoleProcessId=”0xd08″, CreatorProcessName=”explorer”, EventID=”4688″, EventRecordID=”13010758″, ExecutionProcessID=”4″, ExecutionThreadID=”64″, FileDescription=”Windows Command Processor”, FileVersion=”6.1.7601.17514 (win7sp1_rtm.101119-1850)”, InternalName=”cmd”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”345088″, Level=”0″, MD5=”5746BD7E255DD6A8AFA06F7C42C1BA41″, NewProcessId=”0x1250″, NewProcessName=”C:\Windows\System32\cmd.exe”, Opcode=”0″, ProcessId=”0x15a4″, ProductVersion=”6.1.7601.17514″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SessionId=”2″, SHA1=”0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8″, Signed=”Catalog”, SSDeep=”6144:NVl7yDR2iaGcsVXFBM6IT77aVebJWC1jIdDWCoCX9Sm:jdyDRwpmFq6ITSebJWwjIdDbNS”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x940ee”, SubjectUserName=”[user]”, SubjectUserSid=”[SID]”, Task=”13312″, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”False”, Version=”0″, WindowStation=”Winsta0\Default”, Zone=”0″

[host] Security: LogType=”WLS”, BaseFileName=”conhost.exe”, Cached=”True”, Channel=”Security”, CommandLine=”\??\C:\Windows\system32\conhost.exe ‘-1619064235-21228482731568564810739129054211757705058345892-390116831-1302099848#000″, CompanyName=”Microsoft Corporation”, Computer=”[host].[domain]”, CreatorProcessName=”csrss”, EventID=”4688″, EventRecordID=”13010759″, ExecutionProcessID=”4″, ExecutionThreadID=”64″, FileDescription=”Console Window Host”, FileVersion=”6.1.7600.16385 (win7_rtm.090713-1255)”, InternalName=”ConHost”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”338432″, Level=”0″, MD5=”BF95EA5809E3BBF55370F7CB309FEBD0″, NewProcessId=”0xd08″, NewProcessName=”C:\Windows\System32\conhost.exe”, Opcode=”0″, ProcessId=”0x1194″, ProductVersion=”6.1.7600.16385″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SessionId=”2″, SHA1=”1BD846AA22B1D63A1F900F6D08D8BFA8082AE4DB”, Signed=”Catalog”, SSDeep=”6144:MvAVUtrTB1pzQdTOKnJoWafxXyn1U+8kbYzwFH1mbRBlOxm:MaaTpzSLSffxXyp8kb5ElY”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x3e7″, SubjectUserName=”[host]$”, SubjectUserSid=”S-1-5-18″, Task=”13312″, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”False”, Version=”0″, WindowStation=”Winsta0\Default”, Zone=”0″

SessionId

Previous versions of WLS provided data in regards to session information which could be correlated with the environmental variable SESSIONNAME, but was a bit awkward when viewing child processes that carry forward these variables even when the session has changed. SessionId is now reported for each process and can positively correlate to the correct session, without worrying about inherited environmental variables.

WindowStation

WindowStation is now reported for each process, providing insight into how the process was executed. WinSta0 can display a user interface and can receive user input. Other window stations are non-interactive, and can be used to enforce security restrictions, such as providing a sandboxed environment.

Chrome, for example, makes use of other window stations:

[host] Security: LogType=”WLS”, BaseFileName=”chrome.exe”, Cached=”True”, Channel=”Security”, CLIENTNAME=”[remote_host]”, CommandLine=”‘C:\Program Files (x86)\Google\Chrome\Application\chrome.exe’ –type=renderer –lang=en-US –force-fieldtrials=’BrowserBlacklist/Enabled/ChromeSuggestions/Most Likely with Kodachrome/EmbeddedSearch/Group6 pct:10f stable:pp2 prefetch_results:1 reuse_instant_search_base_page:1/ExtensionInstallVerification/Enforce/GoogleNow/Enable/OmniboxBundledExperimentV1/StandardR4/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/QUIC/Disabled/SafeBrowsingIncidentReportingService/Default/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-Population-Restrict/normal/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_10/UMA-Uniformity-Trial-1-Percent/group_06/UMA-Uniformity-Trial-10-Percent/group_08/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_03/UMA-Uniformity-Trial-5-Percent/group_12/UMA-Uniformity-Trial-50-Percent/group_01/VoiceTrigger/Install/’ –extension-process –renderer-print-preview –device-scale-factor=1 –enable-threaded-compositing –enable-delegated-renderer –channel=’616.4.232552611\176135091′ /prefetch:673131151″, CompanyName=”Google Inc.”, Computer=”[host].[domain]”, CreatorProcessName=”chrome”, EventID=”4688″, EventRecordID=”13010449″, ExecutionProcessID=”4″, ExecutionThreadID=”64″, FileDescription=”Google Chrome”, FileVersion=”37.0.2062.103″, InternalName=”chrome_exe”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”852808″, Level=”0″, MD5=”0706DDBD4EA0D122CA069FF2552E20FD”, NewProcessId=”0x1d84″, NewProcessName=”C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”, Opcode=”0″, ProcessId=”0x268″, ProductVersion=”37.0.2062.103″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SessionId=”2″, SESSIONNAME=”RDP-Tcp#0″, SHA1=”627A52C64711BE8132E1D32FD482178E7422CF4F”, Signed=”True”, SSDeep=”12288:59obX26I5VZVX5LTqLEOtPf5R/38i//lIaJJ7XtvKiI245OtCYQpl/ARG4KHFBnk:59GLtXtTRolaKlBnk”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x940ee”, SubjectUserName=”[user]”, SubjectUserSid=”[SID]”, Task=”13312″, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”True”, Version=”0″, WindowStation=”Service-0x0-940ee$\sbox_alternate_desktop_0x268″, Zone=”0″

MSDN – Window Stations


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.2 Released


Performance

  • Replaced WMI calls with native API calls where applicable
  • Faster database maintenance procedures

Features

  • CPU utilization tracking and reporting
  • New process metadata
    • ConsoleProcessId
    • SessionId
    • WindowStation

Fixes

  • Disconnected client resource utilization
  • Additional handling of SEHExceptions
  • Errors for EventRecordIDs > int32.Max

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.1 Released


Performance

  • Over 10x increase in internal throughput
  • Reduced internal latency
  • Improved read/write concurrency
  • Reduced I/O writes

Features

  • Advanced log filtering
  • Detailed statistic logs of log filter matches
  • Certificate monitoring enhanced – all stores now available
  • Configuration hashing – ensure hosts are running the correct configuration
  • Enhanced CommandMonitor – Faster memory searches, includes process name, support for cmd, powershell, and more!
  • Detailed network interface logs on start-up and network change
  • Display names for coded values
  • ETL monitoring for Event Logs and files
  • Per server bandwidth and maximum log length settings
  • Full SSL connection details logged on first connection
  • Input rate limiting – prevent unexpected log floods
  • PrivateMBLimit – prevent WLS from consuming resources on a troubled system
  • SSDeep hashing
  • SessionMonitor – now includes all remote session details for RemoteConnect
  • User SID resolution to user name when present in log
  • Versioning changed – Major.Minor.[Year][DayOfYear].[MinuteOfDay]
  • Registry and file locations now restricted to Local System and Administrators

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Finding vulnerable OpenSSL DLLs (Heartbleed) with WLS and Splunk


If you are running WLS with ModuleMonitor enabled, you already have logs of all loaded DLLs.

Simply run the following search:

WLS_ModuleMonitor “openssl” FileVersion=”1.0.1*” NOT FileVersion=”1.0.1g”

Results will look similar to:

2014-04-24T11:28:38-05:00 [host] WLS_ModuleMonitor: LogType=”WindowsEventLog”, BaseFileName=”ssleay32.dll”, ChangeType=”Added”, CompanyName=”The OpenSSL Project, http://www.openssl.org/”, FileDescription=”OpenSSL Shared Library”, FileName=”C:\Program Files\MakerBot\MakerWare\ssleay32.dll”, FileVersion=”1.0.1e”, InternalName=”ssleay32″, Language=”English (United States)”, Length=”343040″, MD5=”A49B52FB216AD1524C902A41A433A1E1″, Process=”makerware”, ProductVersion=”1.0.1e”, SHA1=”F21CBCC5F291C1D841581FDBBBF854B315D71248″, WLSKey=”35505″, Zone=”0″


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Decoding Event Log Provider Message IDs


When reviewing event logs in Event Viewer, the General tab shows event details in a human readable format, including displaying localized strings.

general_tab

However, when viewing the log on the Details tab in Friendly or XML view some of this “decoding” is not performed.

detail_friendly detail_xml

The Problem

WLS uses the XML version of logs, so these same codes were passed along instead of the localized string. For many logs this was OK since it was fairly easy to find the code in question and the corresponding value. While exploring this further (at customer request), I found that for some logs these values can change by host and version of the software generating the logs, as it is dependent on the provided message files. This made my previous plan to use static lookup tables unfeasible.

The Solution

The files that contain localized event log messages are identified for each event source in the registry at HKLM\SYSTEM\CurrentControlSet\services\eventlog\$logname$\$channel$. For example, Security log message files are identified at:

HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security\Security

registry_eventlog_parameter_file

If you open the file identified as the ParameterMessageFile in a resource viewer you’ll see a message table for each language code with a list of messaged IDs and values.

resource

Now that we have the message IDs and the file to decode them, decoding them is easy with a call to FormatMessage, which expects a handle to the message file and a message ID. The message file is loaded as a data file with LoadLibraryEx and the returned handle and a message ID are passed to FormatMessage. If successful, our string buffer now contains the message.

WLS performs the above actions if DecodeProviderString is enabled. A new field will be created with the decoded value, or if ReplaceProviderString is enabled, the original field value will be replaced with the decoded value.

Example

Field added:

[host] Security: LogType="WLS", BaseFileName="audiodg.exe", Channel="Security", CompanyName="Microsoft Corporation", Computer="[host].[domain]", CreatorProcessName="svchost", EventID="4688", EventRecordID="11668699", ExecutionProcessID="4", ExecutionThreadID="56", FileDescription="Windows Audio Device Graph Isolation", FileVersion="6.1.7600.16385 (win7_rtm.090713-1255)", InternalName="audioadg.exe", Keywords="0x8020000000000000", Language="English (United States)", Length="126464", Level="0", MD5="D5CCA1453B98A5801E6D5FF0FF89DC6C", NewProcessId="0x3188", NewProcessName="C:\Windows\System32\audiodg.exe", Opcode="0", ProcessId="0x214", ProductVersion="6.1.7600.16385", ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}", ProviderName="Microsoft-Windows-Security-Auditing", SHA1="F033FD30AACD0183BFC30861891A92B56AC2468B", Signed="Catalog", SubjectDomainName="NT AUTHORITY", SubjectLogonId="0x3e5", SubjectUserName="LOCAL SERVICE", SubjectUserSid="S-1-5-19", Task="13312", TokenElevationType="%%1936", TokenElevationTypeValue="TokenElevationTypeDefault (1)", ValidSignatureDate="False", Version="0", Zone="0"

Value replaced:

[host] Security: LogType="WLS", BaseFileName="audiodg.exe", Channel="Security", CompanyName="Microsoft Corporation", Computer="[host].[domain]", CreatorProcessName="svchost", EventID="4688", EventRecordID="11668699", ExecutionProcessID="4", ExecutionThreadID="56", FileDescription="Windows Audio Device Graph Isolation", FileVersion="6.1.7600.16385 (win7_rtm.090713-1255)", InternalName="audioadg.exe", Keywords="0x8020000000000000", Language="English (United States)", Length="126464", Level="0", MD5="D5CCA1453B98A5801E6D5FF0FF89DC6C", NewProcessId="0x3188", NewProcessName="C:\Windows\System32\audiodg.exe", Opcode="0", ProcessId="0x214", ProductVersion="6.1.7600.16385", ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}", ProviderName="Microsoft-Windows-Security-Auditing", SHA1="F033FD30AACD0183BFC30861891A92B56AC2468B", Signed="Catalog", SubjectDomainName="NT AUTHORITY", SubjectLogonId="0x3e5", SubjectUserName="LOCAL SERVICE", SubjectUserSid="S-1-5-19", Task="13312", TokenElevationType="TokenElevationTypeDefault (1)", ValidSignatureDate="False", Version="0", Zone="0"


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.