Previous Next Table of Contents

13. NT Logging and Backdoors

This section contains info regarding logging and backdoors for NT.

13.1 Where are the common log files in NT?

These are located in %root%\SYSTEM32\CONFIG. They are:

As a hacker do not worry about the AppEvent.Evt file much -- you are mainly concerned with items in the regular event log (the SysEvent.Evt file) and the security log (the SecEvent.Evt). By default regular users should be able to read the regular event log, and you may wish to look that over if you can to see if your "visit" left a trace. If it did and the entries look out of place, consider adding entries from other users that are similiar by accessing the system as these other users.

You have to have Administrative Group rights to view the security event log. And you'll certainly want to check that to see what is in it.

13.2 How do I edit/change NT log files without being detected?

Well this can be a little tricky as these files are locked in place during NT's operation. You have a couple of choices at this time -- wipe the logs or try to add stuff to them to add camoflage obfuscation. Not elegant, but better than nothing.


Previous Next Table of Contents