Enabling the System Event Audit Log

This topic includes the following information:

How to Enable Security Audit Policy

To enable security audit policy to capture load failures in the audit logs, follow these steps:

Open an elevated Command Prompt window. To open an elevated Command Prompt window, create a desktop shortcut to Cmd.exe, select and hold (or right-click) the Cmd.exe shortcut, and select Run as administrator.

In the elevated Command Prompt window, run the following command:

Restart the computer for the changes to take effect.

The following screen shot shows an how to use Auditpol to enable security auditing.

How to Enable Verbose Logging of Code Integrity Diagnostic Events

To enable verbose logging, follow these steps:

Open an elevated Command Prompt window.

Run Eventvwr.exe on the command line.

Under the Event Viewer folder in the left pane of the Event Viewer, expand the following sequence of subfolders:

Applications and Services Logs

Microsoft

Windows

Expand the Code Integrity subfolder under the Windows folder to display its context menu.

Select View.

Select Show Analytic and Debug Logs. Event Viewer will then display a subtree that contains an Operational folder and a Verbose folder.

Select and hold (or right-click) Verbose and then select Properties from the pop-up context menu.

Select the General tab on the Properties dialog box, and then select the Enable Logging option near the middle of the property page. This will enable verbose logging.

Restart the computer for the changes to take effect.

Code Integrity Event Log Messages

The following are warning events that are logged to the Code Integrity operational log:

Code Integrity is unable to verify the image integrity of the file because file hash could not be found on the system.

Code Integrity detected an unsigned driver.

This event is related to Software Quality Monitoring (SQM).

The following are informational events that are logged to the Code Integrity verbose log:

Code Integrity found a set of per-page image hashes for the file in a catalog .

Code Integrity found a set of per-page image hashes for the file in the image embedded certificate.

Code Integrity found a file hash for the file in a catalog .

Code Integrity found a file hash for the file in the image embedded certificate.

Code Integrity determined an unsigned kernel module is loaded into the system. Check with the publisher to see whether a signed version of the kernel module is available.

Code Integrity is unable to verify the image integrity of the file because the set of per-page image hashes could not be found on the system.

Code Integrity is unable to verify the image integrity of the file because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Code Integrity is unable to verify the image integrity of the file because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Code Integrity was unable to load the catalog.

Code Integrity successfully loaded the catalog.

Appendix 3: Enable Code Integrity Event Logging and System Auditing

Enable Code Integrity Event Logging and System Auditing

Code Integrity is the kernel-mode component that implements driver signature verification. It generates system events that are related to image verification and logs the information in the Code Integrity log:

The Code Integrity operational log view shows only image verification error events.

The Code Integrity verbose log view shows the events for successful signature verifications.

The following procedure shows how to enable Code Integrity verbose event logging to view all successful operating system loader and kernel-mode image verification events:

To enable Code Integrity verbose event logging

To enable verbose logging, follow these steps:

Open an elevated Command Prompt window.

Run Eventvwr.exe on the command line.

Under the Event Viewer folder in the left pane of the Event Viewer, expand the following sequence of subfolders:

Applications and Services Logs

Microsoft

Windows

Expand the Code Integrity subfolder under the Windows folder to display its context menu.

Select View.

Select Show Analytic and Debug Logs. Event Viewer will then display a subtree that contains an Operational folder and a Verbose folder.

Right-click Verbose and then select Properties from the pop-up context menu.

Select the General tab on the Properties dialog box, and then select the Enable Logging option near the middle of the property page. This will enable verbose logging.

Restart the computer for the changes to take effect.

System event records can also be enabled, which include Code Integrity image verification failure events. These events are generated when the Windows kernel fails to load a driver because of a signature failure. Similar events are also recorded in the Code Integrity operational event log view

To enable the audit policy to generate audit events in the system category for failed operations

To enable security audit policy to capture load failures in the audit logs, follow these steps:

Open an elevated Command Prompt window. To open an elevated Command Prompt window, create a desktop shortcut to Cmd.exe, right-click the Cmd.exe shortcut, and select Run as administrator.

In the elevated Command Prompt window, run the following command:

Restart the computer for the changes to take effect.

The following screen shot shows an how to use Auditpol to enable security auditing.

Storport Event Log Extensions

Like many other types of drivers, Storport miniport drivers must create entries in the system event log to keep administrators informed of the condition of attached storage devices. These event log entries are often created in response to device-related failures. Events can also be logged for telemetry, debugging, and optimization.

Although the Windows kernel itself provides a flexible interface for creating event log entries, the Storport miniport model does not allow miniport drivers to access that interface directly. Instead, Storport provides a wrapper around the kernel’s system event log facility, and miniport drivers use the wrapper to create event log entries.

Specifically, Storport provides the following event log routines:

• StorPortLogTelemetryEx allows a miniport to log a tracelogging measures or telemetry event with miniport-customized data (Windows 10 version 1903 and newer).
• StorPortEtwChannelEvent2, StorPortEtwChannelEvent4, and StorPortEtwChannelEvent8 allow miniports to publish ETW events to a storage trace channel (Windows 10 version 1809 and newer).
• StorPortLogSystemEvent allows miniports to create an event log entry (Windows 7 and newer).

Storport logs events under the «Microsoft-Windows-Storage-Storport» provider name. Errors are logged in the Operational channel, and debug/analytics are logged in Diagnose (Analytic and Debug). When using the Event Viewer application, you must first enable the Diagnose channel to view it (to enable, click on View->Show Analytic and Debug Logs).

The above functions are implemented as Storport extended functions and are available to miniport drivers using the existing extended function interface. Use of the extended function interface avoids a direct dynamic link reference to the new function. By avoiding that direct reference, miniport drivers that use the new function load properly on operating systems that do not support the function, with the function returning STOR_STATUS_NOT_IMPLEMENTED when not supported. In this way, vendors can create a single miniport driver that runs on multiple OS releases, taking advantage of the new event logging function where it is supported.

Note: In versions of Storport prior to Windows 7, Storport’s system event log interface, StorPortLogError, gave miniport drivers access to a small fraction of the capabilities of the kernel’s system event log facility, which impacts the usefulness of miniport event log entries.

For general information about Windows events, see Windows Events.

Event Logging (Windows Installer)

Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. Prior to WindowsВ Vista, you would use either Event Tracing for Windows (ETW) or Event Logging to log events. WindowsВ Vista introduced a new eventing model that unifies both ETW and the Windows Event Log API.

The installer also writes entries into the event log. These record events such as following:

• Success or failure of the installation; removal or repair of a product.
• Errors that occur during product configuration.
• Detection of corrupted configuration data.

If a large amount of information is written, the Event Log file can become full and the installer displays the message, «The Application log file is full.»

The installer may write the following entries in the event log. All event log messages have a unique event ID. All general errors authored in the Error table that are returned for an installation that fails are logged in the Application Event Log with a message ID equal to the Error + 10,000. For example, the error number in the Error table for an installation completed successfully is 1707. The successful installation is logged in the Application Event Log with a message ID of 11707 (1707 + 10,000).

For information about how to enable verbose logging on a user’s computer when troubleshooting deployment, see Windows Installer Best Practices.