5

Is it possible to delete some or all user session logon datetime records from Windows Vista? Is there any mechanism to give me confidence that individual records aren't deleted even if there isn't a public API call for that action?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
trapsed
  • 51
  • 1
  • Isn't it just a matter of hitting the delete button when viewing the logs. – Ramhound Sep 17 '12 at 14:09
  • 1
    @Ramhound I believe the log deletion in Windows (at least, via supported methods) is an all-or-nothing deal. You can delete the entire Security log, but not simply delete individual entries or just entries applying to a certain user or event type. – Iszi Sep 17 '12 at 14:51
  • @Iszi That's correct. When you clear the log, it deletes all entries, then adds an entry stating that you deleted the logs. – Polynomial Sep 20 '12 at 12:15
  • 2
    IMO this question has nothing do with security. Nonetheless the simple answer is: you cant. Read this [answer](http://serverfault.com/questions/8339/how-can-i-remove-specific-events-from-the-event-log-in-windows-server-2008) for more details. – a0viedo Sep 18 '12 at 15:07
  • @Polynomial - So what is the problem? The author is willing to delete **ALL** of the logs in question. – Ramhound Sep 24 '12 at 12:52
  • http://windowssecrets.com/langalist-plus/make-more-space-by-deleting-log-files/ this site tells about the procedure to disabling windows logs and i can say that this question suits the super user – BlueBerry - Vignesh4303 Sep 24 '12 at 12:57
  • @Ramhound So it does! Just seemed to imply a partial delete, for some reason. – Polynomial Sep 24 '12 at 13:03
  • I'd actually love to know what your real goal is. Anyway, even if you clear the logs, this shouldn't be confused with removing all traces of the user from the machine. It turns out that users leave other tidbits behind...cached credentials, a profile, etc. So clearing logs, while it removes some of the history, doesn't remove all traces of the user having ever been there. If that's your goal, the logs are the easy part. Many other things can still lurk long after the logs are gone. – Eric Fleischman Sep 24 '12 at 15:16

2 Answers2

2

You can clear an entire event log, but not individual entries.

If you're an administrator on the machine, you can go into Event Viewer and clear the Security log, by right clicking it and going into Properties, then clicking Clear Log. This will remove all logs, then add one entry that states the time and user ID that cleared the log.

Keep in mind that this may not necessarily destroy all traces of the security logs, since remnants of the login event may still exist in other event logs and log files. Furthermore, on systems that belong to a domain, the login logs may be stored on the active directory server as well as the local machine.

For example, the following logs usually contain duplicate evidence of logons, bootup events, or other activity that can be linked back to a username:

  • Applications and Services » Microsoft » Windows
    • TerminalServices-LocalSessionManager » Operational
    • PrintService » Admin
    • ReadyBoost » Operational
    • User Profile Service » Operational
    • Application-Experience » Program-Telemetry
    • Application-Experience » Program-Compatibility-Assistant
    • Diagnosis-Scheduled » Operational
    • Diagnosis-Scripted » Operational
    • Diagnosis-Scripted » Admin
  • Windows Logs » Application
    • Filter by User != SYSTEM and User != N/A, then order by time. Easy to spot events that correlate to specific times.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
1

Technically it is not possible to delete single events within the EventLog. Atleast, I do not know of a publicly known API that does this within the EventLog call. There is a "Clear" method which removes all the entries, not just the specific ones.

All we can do is filter the logs.

Metahuman
  • 493
  • 1
  • 5
  • 12
  • http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hc_save_log_message.mspx?mfr=true the microsoft provided the link how to delete eventlogs – BlueBerry - Vignesh4303 Sep 24 '12 at 13:03
  • @vignesh4303 Note that the link you provided shows how to delete *all* logs, not just one. It's still valid, but it's an important difference. – Polynomial Sep 25 '12 at 07:36