This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Reports & Analytics
- Malware detection Security report
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2016 07:40 AM
Trying to make some very cool for security.
Looking for report which shows any admin group account logins over the last 30 days and any failed login attempts.
next I would like a list of any items listed in the following
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Lastly, I would also like for this to report on the critical signs of attempted takeover via security events in the system event logs.
Windows 7 regular expressions
SOURCE EventID Number
".*APPCRASH.*" Application 1001
".*he protected system file.*" Application 64004
".*EMET_DLL Module logged the following event:.*" Application 2
.*your virus/spyware.* Application
".*A new process has been created\..*" Security 4688
".*A service was installed in the system\..*" Security 4697
".*A scheduled task was created\..*" Security 4698
".*Logon Type:[\W]*(3|10).*" Security 4624, 4625
".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*" Security 4657
".*service terminated unexpectedly\..*" System 7034
".*service was successfully sent a.*" System 7035
Looking for report which shows any admin group account logins over the last 30 days and any failed login attempts.
next I would like a list of any items listed in the following
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Lastly, I would also like for this to report on the critical signs of attempted takeover via security events in the system event logs.
Windows 7 regular expressions
SOURCE EventID Number
".*APPCRASH.*" Application 1001
".*he protected system file.*" Application 64004
".*EMET_DLL Module logged the following event:.*" Application 2
.*your virus/spyware.* Application
".*A new process has been created\..*" Security 4688
".*A service was installed in the system\..*" Security 4697
".*A scheduled task was created\..*" Security 4698
".*Logon Type:[\W]*(3|10).*" Security 4624, 4625
".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.*" Security 4657
".*service terminated unexpectedly\..*" System 7034
".*service was successfully sent a.*" System 7035
Solved! Go to Solution.
Labels:
- Labels:
-
Report Center
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2016 07:56 PM
We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
When Lansweeper scans a Windows computer, it automatically detects the currently logged on Windows user and adds a logon event for this user to the Lansweeper database. This information is stored in the tblcplogoninfo database table. We've included a sample report at the end of this email (report 1) that lists logon events detected for administrators on your Windows computers in the last 30 days. You can add a report like this to your Lansweeper installation by following these instructions.
You can report on failed logins by reporting on related Event Viewer entries on your Windows computers. We've included another sample report (report 2) at the end of this email that lists instances of two specific events detected on your Windows computers in the last 30 days. You can replace what we've highlighted in yellow with your own event IDs. A similar report can also be used to list the security events referenced at the end of your email. Keep in mind that:
- Lansweeper only scans error events by default. To enable scanning of additional event types, follow these instructions.
- As far as we know, failed logins are not logged in Event Viewer by default. You'll likely first need to enable logging of these events on your computers themselves. In the group policy editor of your computers, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, you can edit the following policies to enable auditing: "Audit account logon events" and "Audit logon events".
The registry scanning feature in Lansweeper can only be used to scan specific registry values, not list all values in a registry key. However, information on which programs automatically start when a Windows computer is booted is automatically scanned by Lansweeper. We do not scan this information through the registry, but through WMI. WMI (Windows Management Instrumentation) is a framework built into Windows operating systems that stores system information. To build a report listing programs that are automatically started:
- Open the report builder under Reports\Create New Report.
- Double-click on tblAutorun and tblAutorunUni in the table list on the right to add the tables to your report.
- In the visual representation of the report in the upper section of the report builder, tick the fields in the tables that you would like to display.
- Give your report a title and hit Save & Run.
Report 1
Select Distinct Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
tblCPlogoninfo.logontime
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblCPlogoninfo On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblUsersInGroup On tblUsersInGroup.AssetID = tblCPlogoninfo.AssetID
And tblUsersInGroup.Username = tblCPlogoninfo.Username And
tblUsersInGroup.Domainname = tblCPlogoninfo.Domain
Where tblCPlogoninfo.logontime > GetDate() - 30 And tblUsersInGroup.Admingroup = 1
Order By tblCPlogoninfo.logontime Desc
Report 2Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning'
When 3 Then 'Information' When 4 Then 'Success Audit'
When 5 Then 'Failure Audit' End As Type,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename,
tblNtlogUser.Loguser
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Where tblNtlog.Eventcode In (1000, 1001 ) And tblNtlog.TimeGenerated > GetDate() - 30
Order By tblNtlog.TimeGenerated Desc
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2016 07:56 PM
We received and answered this question via email. For everyone else's benefit, I'm pasting the reply we sent via email below.
When Lansweeper scans a Windows computer, it automatically detects the currently logged on Windows user and adds a logon event for this user to the Lansweeper database. This information is stored in the tblcplogoninfo database table. We've included a sample report at the end of this email (report 1) that lists logon events detected for administrators on your Windows computers in the last 30 days. You can add a report like this to your Lansweeper installation by following these instructions.
You can report on failed logins by reporting on related Event Viewer entries on your Windows computers. We've included another sample report (report 2) at the end of this email that lists instances of two specific events detected on your Windows computers in the last 30 days. You can replace what we've highlighted in yellow with your own event IDs. A similar report can also be used to list the security events referenced at the end of your email. Keep in mind that:
- Lansweeper only scans error events by default. To enable scanning of additional event types, follow these instructions.
- As far as we know, failed logins are not logged in Event Viewer by default. You'll likely first need to enable logging of these events on your computers themselves. In the group policy editor of your computers, under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, you can edit the following policies to enable auditing: "Audit account logon events" and "Audit logon events".
The registry scanning feature in Lansweeper can only be used to scan specific registry values, not list all values in a registry key. However, information on which programs automatically start when a Windows computer is booted is automatically scanned by Lansweeper. We do not scan this information through the registry, but through WMI. WMI (Windows Management Instrumentation) is a framework built into Windows operating systems that stores system information. To build a report listing programs that are automatically started:
- Open the report builder under Reports\Create New Report.
- Double-click on tblAutorun and tblAutorunUni in the table list on the right to add the tables to your report.
- In the visual representation of the report in the upper section of the report builder, tick the fields in the tables that you would like to display.
- Give your report a title and hit Save & Run.
Report 1
Select Distinct Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblCPlogoninfo.Username,
tblCPlogoninfo.Domain As Userdomain,
tblCPlogoninfo.logontime
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblCPlogoninfo On tblAssets.AssetID = tblCPlogoninfo.AssetID
Inner Join tblUsersInGroup On tblUsersInGroup.AssetID = tblCPlogoninfo.AssetID
And tblUsersInGroup.Username = tblCPlogoninfo.Username And
tblUsersInGroup.Domainname = tblCPlogoninfo.Domain
Where tblCPlogoninfo.logontime > GetDate() - 30 And tblUsersInGroup.Admingroup = 1
Order By tblCPlogoninfo.logontime Desc
Report 2Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.SP,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning'
When 3 Then 'Information' When 4 Then 'Success Audit'
When 5 Then 'Failure Audit' End As Type,
tblNtlog.TimeGenerated,
tblNtlogFile.Logfile,
tblNtlogMessage.Message,
tblNtlogSource.Sourcename,
tblNtlogUser.Loguser
From tblAssets
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Where tblNtlog.Eventcode In (1000, 1001 ) And tblNtlog.TimeGenerated > GetDate() - 30
Order By tblNtlog.TimeGenerated Desc
Reports & Analytics
Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Duplicate assets after deploying IT Agent in General Discussions
- Linux and MacOS antivirus detection in Product Discussions
- Custom Server report in Reports & Analytics
- Issues with windows update versions and detected CVEs in General Discussions
- A particular microsoft security update is not detected by lansweeper for some computer in domain. in General Discussions
