Scribd
Upload
42 views

Windows - SIEM Events Rationalisation

The document discusses various Windows event log events and whether they should be removed or kept from log monitoring. It provides explanations for many of the events and potential URLs for more information. The majority of events are recommended to be removed from monitoring.

Uploaded by

jawad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
42 views

Windows - SIEM Events Rationalisation

The document discusses various Windows event log events and whether they should be removed or kept from log monitoring. It provides explanations for many of the events and potential URLs for more information. The majority of events are recommended to be removed from monitoring.

Uploaded by

jawad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 23

sourcetype EventCodcomments remove Comments2 URL

WinEventLog:Application 100 start up Remove

Arguably this setting could


be useful for intrusion
attempts on Win 2k3
devices but these log
Failed to engage a Terminal Services messages can be sourced
WinEventLog:Application 10000 session on a Windows 2k3 server Remove from elsewhere.

This message has some


usefulness in terms of
alerting when the WSUS
service side update fails,
but overall if a patch
installation has failed, it will
be apparent from
interrogation of the SCOM
WinEventLog:Application 10032 Updates failed Keep or WSUS UI https://nitishkumar.net/tag/event-id-10032/
https://
This event arguably could social.technet.microsoft.com/
have some bearing on Forums/windows/en-US/
security as it could alert to cdf859c2-e9a7-4795-9ad2-
the presence of APTs - but 18b29ff5e920/task-scheduler-
task scheduler failed to start a we are stretching the event-id-101-error-value?
WinEventLog:Application 101 scheduled job remove imagination with this forum=winserver8gen

Microsoft Exchange OLEDB was unable


WinEventLog:Application 116 to initialize event system cor remove https://www.experts-exchange.com/questions/26286141/Exc

File Server Resource Manager finished


syncing claims from Active Directory and
encountered errors during the sync,
WinEventLog:Application 12344 there is no such object on the server remove
Windows saved user <user name>
registry while an application or service
was still using the registry during log off.
The memory used by the user's registry
has not been freed. The registry will be
unloaded when it is no longer in use.
This is often caused by services running
as a user account, try configuring the http://www.eventid.net/display-
services to run in either the LocalService eventid-1517-source-Userenv-
WinEventLog:Application 1517 or NetworkService account. remove eventno-1206-phase-1.htm
WinEventLog:Application 15268 hyper-v failed to get disk information remove

SQL Server blocked access to procedure


‘dbo.sp_get_sqlagent_properties’ of
component ‘Agent XPs’ because this
component is turned off as part of the
WinEventLog:Application 15281 security configuration for this server remove

service added as a
scheduled job but fails to
Failed to schedule Software Protection start or restart - usually
WinEventLog:Application 16385 service for re-start remove fixed by just removing it

This event is logged whenever SQL


server starts up. If you're trying to
correlate the end of an outage with an
SQL instance starting up, this is the
WinEventLog:Application 17069 event you're looking for remove
WinEventLog:Application 17101 remove
WinEventLog:Application 17103 remove
WinEventLog:Application 17104 remove
WinEventLog:Application 17111 remove
WinEventLog:Application 17183 notice of recycling logs locally remove
WinEventLog:Application 17184 reinitialisation of local logging process remove
WinEventLog:Application 17202 remove
https://
community.dynamics.com/crm/
WinEventLog:Application 17203 invalid trace directory remove f/117/t/265705
WinEventLog:Application 18210 backup failed remove
WinEventLog:Application 18264 SQL server database backup remove
WinEventLog:Application 18496 remove
WinEventLog:Application 18950 remove
WinEventLog:Application 20226 VPN / remote connection terminated remove
WinEventLog:Application 20249 Lost contact with a Sandbox Client. remove
Related to a deprecated feature of SQL
WinEventLog:Application 2362 server remove
WinEventLog:Application 3421 remove
Event ID 4097 is produced on joining a
Windows 2012 Server to a SBS 2003
WinEventLog:Application 4097 domain for the first time. remove
a security subsystem such as kerberos
WinEventLog:Application 4610 was started remove
WinEventLog:Application 49904 remove
WinEventLog:Application 49916 remove
WinEventLog:Application 49917 remove
WinEventLog:Application 5 remove
WinEventLog:Application 6701 remove
WinEventLog:Application 6702 remove
WinEventLog:Application 6704 remove
WinEventLog:Application 6705 remove
WinEventLog:Application 8198 remove
WinEventLog:Application 8311 remove
WinEventLog:Application 10311 remove
WinEventLog:Application 12299 remove
WinEventLog:Application 18960 remove
WinEventLog:Application 20246 remove
WinEventLog:Application 20248 remove
WinEventLog:Application 216 remove
WinEventLog:Application 24589 remove
WinEventLog:Application 34 remove
WinEventLog:Application 6290 remove
WinEventLog:Application 6299 remove
WinEventLog:Application 7886 remove
WinEventLog:Application 8356 remove
WinEventLog:Application 9666 remove
WinEventLog:Application 1023 remove
WinEventLog:Application 12309 remove
WinEventLog:Application 1314 remove
WinEventLog:Application 17890 remove
WinEventLog:Application 2004 remove
WinEventLog:Application 2159 remove
WinEventLog:Application 218 remove
WinEventLog:Application 4101 remove
WinEventLog:Application 9003 remove
WinEventLog:Application 1026 remove
WinEventLog:Application 1101 remove
WinEventLog:Application 1104 remove
WinEventLog:Application 18267 remove
WinEventLog:Application 20227 remove
WinEventLog:Application 2370 remove
WinEventLog:Application 325 remove
WinEventLog:Application 326 remove
WinEventLog:Application 3355 remove
WinEventLog:Application 3402 remove
WinEventLog:Application 3406 remove
WinEventLog:Application 3407 remove
WinEventLog:Application 3760 remove
WinEventLog:Application 4356 remove
WinEventLog:Application 6000 remove
WinEventLog:Application 1010 remove
WinEventLog:Application 1022 remove
WinEventLog:Application 3014 remove
WinEventLog:Application 327 remove
WinEventLog:Application 8224 remove
WinEventLog:Application 108 remove
WinEventLog:Application 2 remove
WinEventLog:Application 5084 remove
WinEventLog:Application 103 remove
WinEventLog:Application 18944 remove
WinEventLog:Application 18957 remove
WinEventLog:Application 102 remove
WinEventLog:Application 105 remove
WinEventLog:Application 17420 remove
WinEventLog:Application 201 remove
WinEventLog:Application 2138 remove
WinEventLog:Application 23379 remove
WinEventLog:Application 24591 remove
WinEventLog:Application 26090 remove
WinEventLog:Application 5401 remove
WinEventLog:Application 912 remove
WinEventLog:Application 17573 remove
WinEventLog:Application 65 remove
WinEventLog:Application 17192 remove
WinEventLog:Application 2017 remove
WinEventLog:Application 17972 remove
WinEventLog:Application 2137 remove
WinEventLog:Application 50 remove
WinEventLog:Application 833 remove
WinEventLog:Application 17189 remove
WinEventLog:Application 528 remove
WinEventLog:Application 906 remove
WinEventLog:Application 2080 remove
WinEventLog:Application 64 remove
WinEventLog:Application 18204 remove
WinEventLog:Application 18959 remove
WinEventLog:Application 1035 remove
WinEventLog:Application 700 remove
WinEventLog:Application 1033 remove
WinEventLog:Application 1034 remove
WinEventLog:Application 1530 remove
WinEventLog:Application 701 remove
WinEventLog:Application 8313 remove
WinEventLog:Application 6003 remove
WinEventLog:Application 3041 remove
WinEventLog:Application 12291 remove
WinEventLog:Application 28673 remove
WinEventLog:Application 18732 remove
WinEventLog:Application 18832 remove
WinEventLog:Application 2163 remove
WinEventLog:Application 5586 remove
WinEventLog:Application 8197 remove
WinEventLog:Application 2003 remove
WinEventLog:Application 1008 remove
WinEventLog:Application 3 remove
WinEventLog:Application 1315 remove
WinEventLog:Application 12014 remove
WinEventLog:Application 18702 remove
WinEventLog:Application 4354 remove
WinEventLog:Application 259 remove
WinEventLog:Application 8230 remove
https://
gallery.technet.microsoft.com/
SQL-Server-Login-Failure-
WinEventLog:Application 18454 keep failed SQL logins 8252820b
WinEventLog:Application 17137 remove
WinEventLog:Application 1309 remove
WinEventLog:Application 113 remove
WinEventLog:Application 12289 remove
WinEventLog:Application 9009 remove
WinEventLog:Application 2330 remove
WinEventLog:Application 8210 remove
WinEventLog:Application 12288 remove
WinEventLog:Application 2158 remove
WinEventLog:Application 12293 remove
WinEventLog:Application 257 remove
WinEventLog:Application 4 remove
WinEventLog:Application 705 remove
WinEventLog:Application 208 remove
WinEventLog:Application 1704 remove
WinEventLog:Application 512 remove
WinEventLog:Application 1001 remove
WinEventLog:Application 18845 remove
WinEventLog:Application 510 remove
WinEventLog:Application 502 remove
WinEventLog:Application 17418 remove
WinEventLog:Application 1000 remove
WinEventLog:Application 3006 remove
WinEventLog:Application 10031 remove
WinEventLog:Application 8306 remove
WinEventLog:Application 0 remove
WinEventLog:Application 18949 remove
WinEventLog:Application 256 remove
WinEventLog:Application 258 remove
WinEventLog:Application 18689 remove
WinEventLog:Application 6398 remove
WinEventLog:Application 3005 remove
WinEventLog:Application 978 remove
WinEventLog:Application 121 remove
WinEventLog:Application 6482 remove
WinEventLog:Application 18265 remove
WinEventLog:Application 1041 remove
WinEventLog:Application 16384 remove
WinEventLog:Application 903 remove
WinEventLog:Application 1066 remove
WinEventLog:Application 900 remove
WinEventLog:Application 902 remove
WinEventLog:Application 1003 remove
WinEventLog:Application 9002 remove
needs some investigation -
its about failed token based
WinEventLog:Application 18456 investigate logins to SQL Server
this is for a successful login
WinEventLog:Application 18453 remove on SQL Server
WinEventLog:Directory-Serv 1083 remove
Active Directory encountered a write
conflict when applying replicated
WinEventLog:Directory-Serv 1955 changes to an object. remove
related to compaq and
WinEventLog:Directory-Serv 1162 remove sNMP values
duplication of error messages was
WinEventLog:Directory-Serv 2041 suppressed - remove

attempts were made in the


previous 24 hours to make
clear text LDAP binds or
A SASL (Negotiate Kerberos NTLM or unsigned binds - an event
Digest) LDAP connection attempt was of this nature is worth
WinEventLog:Directory-Serv 2887 made without a valid signature keep some initial analysis
WinEventLog:Directory-Serv 700 remove Online defragmentation
WinEventLog:Directory-Serv 701 remove insufficient memory
WinEventLog:Directory-Serv 1226 remove duplicate objects

WinEventLog:Security 1105 remove Event log automatic backup

WinEventLog:Security 4720 keep A user account was created


https://
www.ultimatewindowssecurity.co
m/securitylog/encyclopedia/
WinEventLog:Security 4722 keep user account was enabled event.aspx?eventID=4722
https://
www.ultimatewindowssecurity.co
m/securitylog/encyclopedia/
WinEventLog:Security 4724 keep password reset attempted event.aspx?eventID=4724
just means a group other
than a distribution group
WinEventLog:Security 4754 keep was created. https://www.ultimatewindowssecurity.com/securitylog/encyc

Can't imagine a case where https://


this event would be www.ultimatewindowssecurity.co
reported, even if we see 2 m/securitylog/encyclopedia/
WinEventLog:Security 5378 keep of them here. event.aspx?eventID=5378

tells us when a RDP session


is disconnected as opposed
to logged off, could be
WinEventLog:Security 683 keep useful on rare occasions

Surprised there's not more


of these. The messages
could be useful but MS has https://
over-engineered things. www.ultimatewindowssecurity.co
These messages are useful m/securitylog/encyclopedia/
WinEventLog:Security 4663 remove for developers perhaps. event.aspx?eventID=4663

the chances of this message


leading to potential
malware or other
unauthorised actions being https://
detected are low. More www.ultimatewindowssecurity.co
likely there will be lots of m/securitylog/encyclopedia/
WinEventLog:Security 4695 remove false positives event.aspx?eventid=4695

worth keeping this,


although be aware that
there are likely to be some
false positives. Suggest to
WinEventLog:Security 4700 trial trial and see how it goes.
fairly un-noisy, so probably
WinEventLog:Security 4701 scheduled task disabled keep worth keeping
WinEventLog:Security 4755 keep a group was changed
A user was denied the access to Remote
Desktop. By default, users are allowed
to connect only if they are members of
the Remote Desktop Users group or
WinEventLog:Security 4825 Administrators group keep
https://
www.ultimatewindowssecurity.co
Backup of data protection master key Noise. Not what it says on m/securitylog/encyclopedia/
WinEventLog:Security 4692 was attempted remove the tin. event.aspx?eventID=4692
https://
Worth keeping - starting up www.ultimatewindowssecurity.co
a new service can be a m/securitylog/encyclopedia/
WinEventLog:Security 4697 A service was installed in the system keep malware indicator event.aspx?eventID=4697
https://
www.ultimatewindowssecurity.co
A member was added to a security- m/securitylog/encyclopedia/
WinEventLog:Security 4728 enabled global group keep event.aspx?eventID=4728
WinEventLog:Security 4733 A member was removed from a group remove
A security-enabled local group was
WinEventLog:Security 4735 changed keep
A security-enabled global group was
WinEventLog:Security 4737 changed keep
WinEventLog:Security 551 User initiated logoff keep

Identifies the account that


requested the logon - NOT
the user who just logged
WinEventLog:Security 4627 Group membership information keep on.
A member was added to a security-
WinEventLog:Security 4756 enabled universal group keep

Keep, but not if local


Windows Firewall Group Policy settings firewalls are not being
has changed. The new settings have used. May as well keep - its
WinEventLog:Security 4954 been applied keep not too noisy.
System security access was removed
WinEventLog:Security 4718 from an account remove
documents the revokation of logon
rights such as "Access this computer
from the network" or "Logon as a
WinEventLog:Security 5141 service". keep

Its not clear on the


designed usage purpose of
this message - it appears
when a user tries to logon
with no domain
membership, so you'll see it http://
with some brute force forum.ultimatewindowssecurity.c
WinEventLog:Security 680 Account Used for Logon by keep attempts om/Topic778-129-1.aspx
WinEventLog:Security 5137 A directory service object was created keep

count of 24 tells us that https://


The Windows Firewall Service blocked Windows Firewall isn't in www.ultimatewindowssecurity.co
an application from accepting incoming extensive usage or its m/securitylog/encyclopedia/
WinEventLog:Security 5031 connections on the network remove poorly configured event.aspx?eventID=5031
https://
expected low volume of www.ultimatewindowssecurity.co
traffic - can be useful in m/securitylog/encyclopedia/
WinEventLog:Security 4740 A user account was locked out keep some investigations event.aspx?eventID=4740
Recovery of data protection master key
WinEventLog:Security 4693 was attempted remove
WinEventLog:Security 4702 A scheduled task was updated keep
An attempt was made to change an
WinEventLog:Security 4723 account's password keep
https://
www.ultimatewindowssecurity.co
m/securitylog/encyclopedia/
WinEventLog:Security 601 Attempt to install service keep event.aspx?eventid=601
https://
www.ultimatewindowssecurity.co
m/securitylog/encyclopedia/
WinEventLog:Security 4801 Workstation unlocked remove event.aspx?eventID=4801
This event seems to be in
place of 4634 in the case of
Interactive and
RemoteInteractive (remote
desktop) logons. This is a
plus since it makes it easier
to distinguish between
logoffs resulting from an
idle network session and
logoffs where the user
actually logs off with from
WinEventLog:Security 4647 User initiated logoff keep his console.
WinEventLog:Security 4738 A user account was changed keep
A user's local group membership was classic indicator of malware
WinEventLog:Security 4798 enumerated keep activity

potential unauthorised
activity indicator, although
quite unlikely, aside from
an attempt was made to register an attenmpts to obscure logs
WinEventLog:Security 4904 events source keep by filling them with drivel
An attempt was made to unregister a
WinEventLog:Security 4905 security event source keep
An Active Directory replica destination
WinEventLog:Security 4931 naming context was modified remove
not clear at the actual
WinEventLog:Security 4742 A computer account was changed keep usefulness of this
could be useful - for
example - a dormant JML
WinEventLog:Security 4767 A user account was unlocked keep account is unlocked
An occurrence of event 515
is logged at startup and
occasionally afterwards for
A trusted logon process has registered each logon process on the
WinEventLog:Security 515 with the Local Security Authority keep system.

When either a user


manually locks his
workstation or the
workstation automatically
locks its console after a
period of inactivity this
WinEventLog:Security 4800 The workstation was locked keep event is logged.
A session was disconnected from a more particular to a RDP
WinEventLog:Security 4779 Window Station keep logoff
A session was reconnected to a Window
WinEventLog:Security 4778 Station keep RDP

Event 528 is logged


whenever an account logs
on to the local computer,
except for in the event of
WinEventLog:Security 528 Successful Network Logon keep network logons
https://kb.eventtracker.com/
evtpass/evtPages/
WinEventLog:Security 598 Failed to release memory allocation keep EventId_598_WDSMC_63244.asp

not clear how useful this is -


if it is generated in
response to failed VPN
connections then its
WinEventLog:Security 4653 investigate probably worth keeping
Kerberos limits how long a
ticket is valid. If a ticket
expires when the user is
still logged on, Windows
automatically contacts https://
the domain controller to www.ultimatewindowssecurity.co
renew the ticket which m/securitylog/encyclopedia/
WinEventLog:Security 4770 A Kerberos service ticket was renewed keep triggers this event. event.aspx?eventID=4770

Looks like a legacy code,


The Password Policy Checking API was should have been removed
WinEventLog:Security 4793 called remove years ago but wasn't

Another type of login


message, this one is useful
for tracking user account
WinEventLog:Security 552 Logon attempt using explicit credentials keep switching
seems like this message is
generated whenever any
A new external device was recognized device is inserted, not just
WinEventLog:Security 6416 by the system keep USBs

WinEventLog:Security 4696 A primary token was assigned to process keep

this about use of rights as


opposed to assgning of
rights - likely to be very
noisy with little security
WinEventLog:Security 578 Privileged object operation remove value
This message can cover a
whole plethora of
problems, mostly
operational, and mostly not
security. There is a chance
that malware can corrupt
registries, however other
layers of security can deal
WinEventLog:Security 577 unable to load registry remove with this issue

Synchronization of a replica of an Active word on the street is its not


WinEventLog:Security 4933 Directory naming context has ended remove so useful

Synchronization of a replica of an Active


WinEventLog:Security 4932 Directory naming context has begun remove
A program used the
CryptUnprotectData
function to read data
encrypted by Data
Protection API (DPAPI). The
name of the encrypted data
is provided in the event
message, but because this
name is determined by the
program that originally
created the encrypted data,
it might not be
recognizable. This type of
event can be a result of
unauthorised access to
encrypted passwords - but
Unprotection of auditable protected exactly how useful is it?
WinEventLog:Security 599 data investigate needs some investigation
WinEventLog:Security 5059 Key migration operation remove

remove for servers because


The Windows Filtering Platform has use of local packet filters is
permitted an application or service to hard ot justify based on
listen on a port for incoming TCO v risk - apart from
WinEventLog:Security 5154 connections remove mobile users/EUDs
A trusted logon process has been
registered with the Local Security
WinEventLog:Security 4611 Authority remove lots of noise, little value
In Windows Kerberos,
password verification takes
place during pre-
authentication, so in a
kerberos enviornment one
can expect to see this for all
WinEventLog:Security 4771 Kerberos pre-authentication failed keep password fails
extremely noisy. If you can
match it with a
WinEventLog:Security 4658 The handle to an object was closed remove corresponding event 4656

Very noisy - remote chance


of being able to detect
WinEventLog:Security 600 A process was assigned a primary token remove unauthorised behaviour

Very noisy - remote chance


of being able to detect
WinEventLog:Security 4661 A handle to an object was requested remove unauthorised behaviour
why are there so many of
WinEventLog:Security 4675 SIDs were filtered investigate these?
Microsoft cryptic message
that even they don't
WinEventLog:Security 4985 remove understand
Windows firewall dropped
WinEventLog:Security 5157 remove a packet

object based events - only


useful in cases where fine
grained access to files or
WinEventLog:Security 4656 remove folders has to be logged
WinEventLog:Security 4625 Failed local logon keep
these privileges are usefu
to know but this standard
for your IDAM config - you
have to know this basically,
and telling the user about
privileges for logon isn't so
WinEventLog:Security 576 Privileges assigned to logon account remove helpful
WinEventLog:Security 540 Successful network logon keep
WinEventLog:Security 538 user logoff keep for any type of connection

lots of windows attacks


involve exploiting open
shares such as $ADMIN and
default hidden shares such
WinEventLog:Security 5140 network share was accessed keep as $C

This event is logged on


domain controllers only
and both success and
failure instances of this
event are logged - remove
because you only need
logon and logoff events, not
this. you already know you
WinEventLog:Security 4768 kerberos ticket requested remove have Kerberos
windows firewall did not apply the
WinEventLog:Security 4957 following rule remove

WinEventLog:Security 5136 A directory service object was modified keep

captures lots of useful


events - e.g. a user maps a
drive to a server but
A logon was attempted using explicit specifies a different user's
WinEventLog:Security 4648 credentials keep credentials
flags use of privileges. I
would say can this one
because operationally
priivleges need to be
known anyway and the
noise doesn’t' justify the
WinEventLog:Security 4673 remove benefit coming from it
Windows logs this event when someone
changes the access control list on an
WinEventLog:Security 4670 object. keep
An operation was attempted on a
WinEventLog:Security 4674 privileged object remove

This is different from 4768.


Service tickets are obtained
whenever a user or
computer accesses a server
on the network. For
example, when a user maps
a drive to a file server, the
resulting service ticket
request generates event ID
WinEventLog:Security 4769 A Kerberos service ticket was requested keep 4769 on the DC.

Despite what this event


says, the computer is not
necessarily a domain
controller; member servers
and workstations also log
this event for logon
attempts with local SAM
WinEventLog:Security 4776 keep accounts.
process exited - arguably
can help in incident
investigation but not so
WinEventLog:Security 593 Remove useful on the whole
WinEventLog:Security 592 remove
This event lets you know whenever an
account assigned any "administrator
WinEventLog:Security 4672 equivalent" user rights logs on. Keep
WinEventLog:Security 5447 Remove
Use 5136 if this event is of
interest - better info, more
WinEventLog:Security 4662 Remove useful

generally whenever nobody


can explain what an event
means, its probably not so
WinEventLog:Security 4703 Remove useful
Too noisy with little return
WinEventLog:Security 5158 Remove in terms of benefits
Vague info on this but
enough to know its not so
WinEventLog:Security 5061 Remove valuable

again - little info on the


purpose of this apart from
intuitive reading of the
WinEventLog:Security 5058 Remove description -
Useful for alerting on event
WinEventLog:Security 521 Keep logging failures
No so useful for security,
WinEventLog:Security 4689 Remove especially not at this cost
WinEventLog:Security 4688 Remove
Some of these can be
interesting but most are
WinEventLog:Security 5156 Investigate not.
WinEventLog:Security 4634 Keep
there is a "logon type" field
in the message body - this
is useful for correlation
WinEventLog:Security 4624 An account was successfully logged on keep against different login types https://www.ultimatewindowssecurity.com/securitylog/encyc
WinEventLog:System 10005 remove
WinEventLog:System 1004 remove
WinEventLog:System 1074 remove
WinEventLog:System 129 remove
WinEventLog:System 4000 remove
WinEventLog:System 4006 remove
WinEventLog:System 44 remove
WinEventLog:System 7000 remove
WinEventLog:System 7009 remove
WinEventLog:System 7031 remove
WinEventLog:System 10010 remove
WinEventLog:System 10029 remove
WinEventLog:System 2 remove
WinEventLog:System 35 remove
WinEventLog:System 5807 remove
WinEventLog:System 1500 remove
WinEventLog:System 5823 remove
WinEventLog:System 6038 remove
WinEventLog:System 1150 remove
WinEventLog:System 12294 remove
WinEventLog:System 1502 remove
WinEventLog:System 45056 remove
WinEventLog:System 5722 remove
WinEventLog:System 7011 remove
WinEventLog:System 1020 remove
WinEventLog:System 15 remove
WinEventLog:System 2001 remove
WinEventLog:System 153 remove
WinEventLog:System 5723 remove
WinEventLog:System 1 remove
WinEventLog:System 20001 remove
WinEventLog:System 32 remove
WinEventLog:System 37 remove
WinEventLog:System 4200 remove
WinEventLog:System 4201 remove
WinEventLog:System 7002 remove
WinEventLog:System 7042 remove
WinEventLog:System 27 remove
WinEventLog:System 1064 remove
WinEventLog:System 98 remove
WinEventLog:System 1085 remove
WinEventLog:System 10028 remove
WinEventLog:System 1503 remove
WinEventLog:System 16 remove
WinEventLog:System 5805 remove
WinEventLog:System 36882 remove
WinEventLog:System 1030 remove
WinEventLog:System 1111 remove
WinEventLog:System 36888 remove
WinEventLog:System 5186 remove
WinEventLog:System 4 remove
WinEventLog:System 14554 remove
WinEventLog:System 7001 remove
WinEventLog:System 12503 remove
WinEventLog:System 12517 remove
WinEventLog:System 3 remove
WinEventLog:System 7035 remove
WinEventLog:System 101 remove
WinEventLog:System 103 remove
WinEventLog:System 108 remove
WinEventLog:System 7040 remove
WinEventLog:System 26 remove
WinEventLog:System 7045 remove
WinEventLog:System 1112 remove
WinEventLog:System 6013 remove
WinEventLog:System 10016 remove
WinEventLog:System 11 remove
WinEventLog:System 10009 remove
WinEventLog:System 36887 remove
WinEventLog:System 7036 remove

You might also like