Windows Event Logs

What are event logs?

Per Wikipedia, "Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications)."

This definition would apply to system administrators, IT technicians, desktop engineers, etc. If the endpoint is experiencing an issue, the event logs can be queried to see any clues about what led to the issue. The operating system, by default, writes messages to these logs.

As defenders (blue teamers), there is another use case for event logs. "It can also be useful to combine log file entries from multiple sources. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers."

This is where SIEMs (Security information and event management) such as Splunk and Elastic come into play.

If you don't know exactly what a SEIM is used for, below is a visual overview of its capabilities. (Image credit: Varonis)

Even though it's possible to access a remote machine's event logs, this will not be feasible with a large enterprise environment. Instead, one can view the logs from all the endpoints, appliances, etc., in a SIEM. This will allow you to query the logs from multiple devices instead of manually connecting to a single device to view its logs.

Windows is not the only operating system that uses a logging system. Linux and macOS do as well. For example, on Linux systems, the logging system is known as Syslog. Within this room, though, we're only focusing on the Windows logging system called Windows Event Logs.

Room Machine

Before moving forward, please deploy the machine.

You can use the AttackBox and Remmina to connect to the remote machine. Make sure the remote machine is deployed before proceeding.

Click on the plus icon, as shown below.

For Server provide (MACHINE_IP) as the IP address provided to you for the remote machine. The credentials for the user account is:

User name: administrator User password: blueT3aming!

Accept the Certificate when prompted, and you should be logged into the remote system now.

Note: The virtual machine may take up to 3 minutes to load.

Let's begin... No answer needed

Event Viewer

The Windows Event Logs are not text files that can be viewed using a text editor. However, the raw data can be translated into XML using the Windows API. The events stored in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in C:\Windows\System32\winevt\Logs.

There are 3 main ways of accessing these event logs within a Windows system:

Event Viewer (GUI-based application) Wevtutil.exe (command-line tool) Get-WinEvent (PowerShell cmdlet)

Each method of accessing the event logs has its pros and cons. In this section, we'll look at the Event Viewer first.

In any Windows system, the Event Viewer (an MMC [Microsoft Management Console] snap-in) can be launched by simply right-clicking the Windows icon in the taskbar and selecting Event Viewer.

For the savvy sysadmins that use the CLI much of their day, Event Viewer can be launched by typing eventvwr.msc.

Event Viewer has 3 panes.

The pane on the left provides a hierarchical tree listing of the event log providers. The pane in the middle will either display a general overview and summary or the events specific to a selected provider. The pane on the right is the actions pane.

There are 5 types of events that can be logged. Below is a table from docs.microsoft.com providing a brief description for each.

On the left pane, the standard logs are visible under Windows Logs. Below is a table from docs.microsoft.com providing a brief description for each.

The next section is the Applications and Services Logs. Expand this section and drill down on Microsoft > Windows > PowerShell > Operational.

PowerShell will log operations from the engine, providers, and cmdlets to the Windows event log.

Right-click on Operational then Properties.

Within Properties, you see the log location, log size, and when it was created, modified, and last accessed. Within the Properties window, you can also see the maximum set log size and what action to take once the criteria are met. This concept is known as log rotation. These are discussions held with corporations of various sizes. How long to keep logs and when it's permissible to overwrite the logs with new data.

Lastly, notice the Clear Log button at the bottom right. There are legitimate reasons to use this button, but adversaries will likely attempt to clear the logs to go undetected. Note: This is not the only method to clear the event logs for any given event provider.

Focus your attention on the middle pane. Remember from earlier that this pane will display the events specific to a selected provider. In this case, PowerShell/Operational.

From the above image, notice the event provider's name and the number of events logged. In this case, there are 44 events logged. You might see a different number. No worries, though.

A brief explanation for each column:

The first column is Level, which is the event type. Recall from earlier there are 5 different event types. This first entry is labeled as Information. Next is Date and Time, which is when the event was logged. The third column Source is the name of the software that logs the event. From the above image, the source is PowerShell. Events are identified by IDs (Event ID), which is the fourth column. Note that Event IDs are not unique. Meaning that Event ID 4103 in the above image is related to Executing Pipeline but will have an entirely different meaning in another event log. Lastly is Task Category, which is an Event Category. This entry will help you organize events so Event Viewer can filter them. The event source defines this column.

The middle pane has a split view. For any event, you click on the event, and more information is displayed in the bottom half of the middle pane.

This section has 2 tabs: General and Details.

General is the default view, and the rendered data is displayed. The Details view has 2 options: Friendly view and XML view.

Below is a snippet of the General view.

Lastly, take a look at the Actions pane. There are several options available, but we'll only focus on a few. Please examine all the actions that can be performed at your own leisure if you're not familiar with MMC snap-ins.

As you should have noticed, within the Actions pane, you can open a saved log. This is useful if the remote machine can't be accessed. The logs can be provided to the analyst. You will perform this action a little later.

The Create Custom View and Filter Current Log are nearly identical. The only difference between the 2 is that the By log and By source radio buttons are grayed out in Filter Current Log. Reason for that? The filter you can make with this specific action only relates to the current log. Hence no reason for 'by log' or 'by source' to be enabled.

Why are these actions useful? Say, for instance, you don't want all the events associated with PowerShell/Operational cluttering all the real estate in the pane. Maybe you're only interested in 4104 events. That is possible with these 2 actions.

To view event logs from another computer, right-click Event Viewer (Local) > Connect to Another Computer...

That will conclude the general overview of the Event Viewer—time to become familiar with the tool.

Note: Don't forget to deploy the machine for this room before proceeding. Give the room about 3 minutes to fully load.

For the questions below, use Event Viewer to analyze Microsoft-Windows-PowerShell/Operational log. No answer needed

What is the Event ID for the first event? 40961 Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session? whoami What is the Task Category for Event ID 4104? Execute a Remote Command

For the questions below, use Event Viewer to analyze the Windows PowerShell log. No answer needed

What is the Task Category for Event ID 800?Pipeline Execution Details

wevtutil.exe

Ok, you played around with Event Viewer. Imagine you have to sit there and manually sift through hundreds or even thousands of events (even after filtering the log). Not fun. It would be nice if you could write scripts to do this work for you. We will explore some tools that will allow you to query event logs via the command line and/or PowerShell.

Let's look at wevtutil.exe first. Per Microsoft, the wevtutil.exe tool "enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs."

As with any tool, access its help files to find out how to run the tool. An example of a command to do this is wevtutil.exe /?.

From the above screenshot, under Usage, you are provided a brief example of how to use the tool.

In this example, ep (enum-publishers) is used. This is a command for wevtutil.exe.

The other commands are...

Lastly, within the help information for wevtutil.exe are Common options.

Notice at the bottom of the above snapshot, wevtutil COMMAND /?. This will provide additional information specific to a command.

Let's get more information on the command qe (query-events).

Look over the information within the help menu to fully understand how to use this command.

Ok, great! You have enough information to use this tool—time to answer some questions. It is always recommended to look into the tool and its related information at your own leisure.

Note: You can get more information about using this tool further but visiting the online help documentation docs.microsoft.com.

Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Administrator> wevtutil.exe el | Measure-Object Count : 1071 Average : Sum : Maximum : Minimum : Property :

How many log names are in the machine? 1071

What is the definition for the query-events command? Reads events from an event log, from a log file, or using a structured query.

What option would you use to provide a path to a log file? /lf:true

What is the VALUE for /q? XPATH query

The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text No answer needed

PS C:\Users\Administrator> wevtutil qe Application /c:3 /rd:true /f:text Event[0]: Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 2022-09-04T17:59:13.095 Event ID: 16384 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: N/A User Name: N/A Computer: WIN-1O0UJBNP9G7 Description: Successfully scheduled Software Protection service for re-start at 2022-09-12T00:51:13Z. Reason: RulesEngine. Event[1]: Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 2022-09-04T17:58:20.078 Event ID: 16394 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: N/A User Name: N/A Computer: WIN-1O0UJBNP9G7 Description: Offline downlevel migration succeeded. Event[2]: Log Name: Application Source: Desktop Window Manager Date: 2022-09-04T17:54:48.465 Event ID: 9027 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: N/A User Name: N/A Computer: WIN-1O0UJBNP9G7 Description: The Desktop Window Manager has registered the session port.

What is the log name? Application

What is the /rd option for? Event read direction

What is the /c option for? Maximum number of events to read

Get-WinEvent

On to the next tool. Now we'll examine a PowerShell cmdlet called Get-WinEvent. Per Microsoft, the Get-WinEvent cmdlet "gets events from event logs and event tracing log files on local and remote computers."

A more detailed explanation:

Note: The Get-WinEvent cmdlet replaces the Get-EventLog cmdlet.

As with any new tool, in this case that tool is a PowerShell cmdlet; it's good practice to read the Get-Help documentation to become acquainted with its capabilities. Please refer to the Get-Help information online docs.microsoft.com.

Look over the examples provided in the Get-Help documentation. Some tasks might require some PowerShell-fu, while others don't. Even if your PowerShell-fu is not up to par, fret not; each example has a detailed explanation of the commands/cmdlets used.

Let's talk a bit about filtering.

Generally speaking, you can filter event logs as such Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }.

Tip: If you are ever working on a Windows evaluation virtual machine that is cut off from the Internet eventually, it will shut down every hour. ;^)

When working with large event logs, per Microsoft, it's inefficient to send objects down the pipeline to a Where-Object command. The use of the Get-WinEvent cmdlet's FilterHashtable parameter is recommended to filter event logs.

The image below is of the same command a few lines above but instead of using the Where-Object cmdlet the FilterHashtable is used instead.

In case you're wondering, the results will between the 2 commands above are the same.

The syntax of a hash table is as follows: Guidelines for defining a hash table is as follows:

Note: You don't need to use a semicolon if you separate each key/value with a new line as in the screenshot above for the -FilterHashtable for ProviderName='WLMS'.

Below is a table that displays the accepted key/value pairs for the Get-WinEvent FilterHashtable parameter.

When building a query with a hash table, Microsoft recommends building the hash table one key-value pair at a time.

Event Viewer can provide quick information on what you need to build your hash table.

Based on this information, the hash table will look as follows:

For more information on creating Get-WinEvent queries with FilterHashtable, check the official Microsoft documentation docs.microsoft.com.

Since we're on the topic of Get-WinEvent and FilterHashtable, here is a command that you might find useful (shared by @mubix):

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'

You can read more about creating hash tables in general docs.microsoft.com.

Answer the following questions using the online help documentation for Get-WinEvent No answer needed

Microsoft-Windows-Containers-Wcifs/Operational Circular 1052672 0 Microsoft-Windows-Containers-Wcnfs/Operational Circular 1052672 0 Microsoft-Windows-CoreApplication/Operational Circular 1052672 0 Microsoft-Windows-CorruptedFileRecovery-Client/Operational Circular 1052672 0 Microsoft-Windows-CorruptedFileRecovery-Server/Operational Circular 1052672 0 Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc Circular 1052672 Microsoft-Windows-Crypto-DPAPI/Debug Circular 1052672 48 Microsoft-Windows-Crypto-DPAPI/Operational Circular 1052672 Microsoft-Windows-Crypto-NCrypt/Operational Circular 1052672 0 Microsoft-Windows-DAL-Provider/Operational Circular 1052672 6 Microsoft-Windows-DataIntegrityScan/Admin Circular 1052672 0 Microsoft-Windows-DataIntegrityScan/CrashRecovery Circular 1052672 0 Microsoft-Windows-DateTimeControlPanel/Operational Circular 1052672 0 Microsoft-Windows-DeviceGuard/Operational Circular 1052672 1 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Circular 1052672 0 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational Circular 1052672 0 Microsoft-Windows-Devices-Background/Operational Circular 1052672 1228 Microsoft-Windows-DeviceSetupManager/Admin Circular 1052672 68 Microsoft-Windows-DeviceSetupManager/Operational Circular 1052672 0 Microsoft-Windows-DeviceSync/Operational Circular 1052672 0 Microsoft-Windows-DeviceUpdateAgent/Operational Circular 1052672 4 Microsoft-Windows-Dhcp-Client/Admin Circular 1052672 Microsoft-Windows-Dhcp-Client/Operational Circular 1052672 0 Microsoft-Windows-Dhcpv6-Client/Admin Circular 1052672 Microsoft-Windows-Dhcpv6-Client/Operational Circular 1052672 19 Microsoft-Windows-Diagnosis-DPS/Operational Circular 1052672 0 Microsoft-Windows-Diagnosis-PCW/Operational Circular 1052672 0 Microsoft-Windows-Diagnosis-PLA/Operational Circular 1052672 21 Microsoft-Windows-Diagnosis-Scheduled/Operational Circular 1052672 3 Microsoft-Windows-Diagnosis-Scripted/Admin Circular 1052672 12 Microsoft-Windows-Diagnosis-Scripted/Operational Circular 1052672 0 Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational Circular 1052672 0 Microsoft-Windows-Diagnostics-Networking/Operational Circular 1052672 0 Microsoft-Windows-DirectoryServices-Deployment/Operational Circular 1052672 0 Microsoft-Windows-DiskDiagnostic/Operational Circular 1052672 0 Microsoft-Windows-DiskDiagnosticDataCollector/Operational Circular 1052672 0 Microsoft-Windows-DiskDiagnosticResolver/Operational Circular 1052672 Microsoft-Windows-DisplayColorCalibration/Operational Circular 1052672 Microsoft-Windows-DNS-Client/Operational Circular 1052672 Microsoft-Windows-DriverFrameworks-UserMode/Operational Circular 1052672 0 Microsoft-Windows-DSC/Admin Circular 1052672 0 Microsoft-Windows-DSC/Operational Circular 1052672 0 Microsoft-Windows-EapHost/Operational Circular 1052672 0 Microsoft-Windows-EapMethods-RasChap/Operational Circular 1052672 0 Microsoft-Windows-EapMethods-RasTls/Operational Circular 1052672 0 Microsoft-Windows-EapMethods-Sim/Operational Circular 1052672 0 Microsoft-Windows-EapMethods-Ttls/Operational Circular 1052672 0 Microsoft-Windows-EDP-Application-Learning/Admin Circular 1052672 0 Microsoft-Windows-EDP-Audit-Regular/Admin Circular 1052672 0 Microsoft-Windows-EDP-Audit-TCB/Admin Circular 1052672 0 Microsoft-Windows-EnrollmentPolicyWebService/Admin Circular 1052672 0 Microsoft-Windows-EnrollmentWebService/Admin Circular 1052672 Microsoft-Windows-ESE/Operational Circular 1052672 0 Microsoft-Windows-EventCollector/Operational Circular 1052672 0 Microsoft-Windows-Fault-Tolerant-Heap/Operational Circular 1052672 0 Microsoft-Windows-FeatureConfiguration/Operational Circular 1052672 0 Microsoft-Windows-FederationServices-Deployment/Operational Circular 1052672 0 Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin Circular 1052672 0 Microsoft-Windows-FileServices-ServerManager-EventProvider/Operational Circular 1052672 0 Microsoft-Windows-FileShareShadowCopyProvider/Operational Circular 1052672 0 Microsoft-Windows-FMS/Operational Circular 4194304 0 Microsoft-Windows-Folder Redirection/Operational Circular 1052672 19 Microsoft-Windows-Forwarding/Operational Circular 1052672 0 Microsoft-Windows-GenericRoaming/Admin Circular 1052672 Microsoft-Windows-glcnd/Admin Circular 4194304 1031 Microsoft-Windows-GroupPolicy/Operational Circular 1052672 223 Microsoft-Windows-HelloForBusiness/Operational Circular 1052672 0 Microsoft-Windows-Help/Operational Circular 1052672 0 Microsoft-Windows-HomeGroup Control Panel/Operational Circular 1052672 Microsoft-Windows-HttpService/Log Circular 1052672 Microsoft-Windows-HttpService/Trace Circular 1052672 0 Microsoft-Windows-Hyper-V-Guest-Drivers/Admin Circular 1052672 Microsoft-Windows-Hyper-V-Guest-Drivers/Operational Circular 1052672 0 Microsoft-Windows-Hyper-V-Hypervisor-Admin Circular 1052672 0 Microsoft-Windows-Hyper-V-Hypervisor-Operational Circular 1052672 0 Microsoft-Windows-IdCtrls/Operational Circular 1052672 0 Microsoft-Windows-IKE/Operational Circular 1052672 0 Microsoft-Windows-International-RegionalOptionsControlPanel/Operational Circular 1052672 1 Microsoft-Windows-International/Operational Circular 1052672 0 Microsoft-Windows-Iphlpsvc/Operational Circular 1052672 0 Microsoft-Windows-KdsSvc/Operational Circular 1052672 Microsoft-Windows-Kerberos-KdcProxy/Operational Circular 1052672 Microsoft-Windows-Kerberos/Operational Circular 1052672 0 Microsoft-Windows-Kernel-ApphelpCache/Operational Circular 1052672 208 Microsoft-Windows-Kernel-Boot/Operational Circular 1052672 1 Microsoft-Windows-Kernel-EventTracing/Admin Circular 1052672 2614 Microsoft-Windows-Kernel-IO/Operational Circular 1052672 478 Microsoft-Windows-Kernel-PnP/Configuration Circular 1052672 0 Microsoft-Windows-Kernel-Power/Thermal-Operational Circular 1052672 29 Microsoft-Windows-Kernel-ShimEngine/Operational Circular 1052672 0 Microsoft-Windows-Kernel-StoreMgr/Operational Circular 1052672 0 Microsoft-Windows-Kernel-WDI/Operational Circular 1052672 0 Microsoft-Windows-Kernel-WHEA/Errors Circular 1052672 32 Microsoft-Windows-Kernel-WHEA/Operational Circular 1052672 123 Microsoft-Windows-Known Folders API Service Circular 1052672 14 Microsoft-Windows-LanguagePackSetup/Operational Circular 1052672 Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational Circular 1052672 801 Microsoft-Windows-LiveId/Operational Circular 1052672 Microsoft-Windows-LSA/Operational Circular 1052672 0 Microsoft-Windows-ManagementTools-RegistryProvider/Operational Circular 1052672 0 Microsoft-Windows-ManagementTools-TaskManagerProvider/Operational Circular 1052672 Microsoft-Windows-MediaFoundation-Performance/SARStreamResource Circular 1052672 0 Microsoft-Windows-MemoryDiagnostics-Results/Debug Circular 1052672 0 Microsoft-Windows-MiStreamProvider/Operational Circular 1052672 0 Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational Circular 1052672 0 Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin Circular 1052672 0 Microsoft-Windows-Mprddm/Operational Circular 1052672 0 Microsoft-Windows-MsLbfoProvider/Operational Circular 1052672 Microsoft-Windows-MSPaint/Admin Circular 1052672 0 Microsoft-Windows-MUI/Admin Circular 1052672 12 Microsoft-Windows-MUI/Operational Circular 1052672 Microsoft-Windows-Ncasvc/Operational Circular 1052672 12 Microsoft-Windows-NCSI/Operational Circular 1052672 Microsoft-Windows-NDIS/Operational Circular 1052672 0 Microsoft-Windows-NdisImPlatform/Operational Circular 1052672 0 Microsoft-Windows-NetworkLocationWizard/Operational Circular 1052672 122 Microsoft-Windows-NetworkProfile/Operational Circular 1052672 0 Microsoft-Windows-NetworkProvider/Operational Circular 1052672 0 Microsoft-Windows-NlaSvc/Operational Circular 1052672 82 Microsoft-Windows-Ntfs/Operational Circular 1052672 16 Microsoft-Windows-Ntfs/WHC Circular 1052672 0 Microsoft-Windows-NTLM/Operational Circular 1052672 0 Microsoft-Windows-OfflineFiles/Operational Circular 1052672 Microsoft-Windows-OneX/Operational Circular 1052672 0 Microsoft-Windows-OOBE-Machine-DUI/Operational Circular 1052672 Microsoft-Windows-OtpCredentialProvider/Operational Circular 1052672 0 Microsoft-Windows-PackageStateRoaming/Operational Circular 16777216 17 Microsoft-Windows-Partition/Diagnostic Circular 1052672 0 Microsoft-Windows-PerceptionRuntime/Operational Circular 1052672 0 Microsoft-Windows-PerceptionSensorDataService/Operational Circular 1052672 0 Microsoft-Windows-PersistentMemory-Nvdimm/Operational Circular 1052672 0 Microsoft-Windows-PersistentMemory-PmemDisk/Operational Circular 1052672 0 Microsoft-Windows-PersistentMemory-ScmBus/Certification Circular 1052672 Microsoft-Windows-PersistentMemory-ScmBus/Operational Circular 1052672 0 Microsoft-Windows-Policy/Operational Circular 1052672 0 Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/... Retain 1048985600 0 Microsoft-Windows-PowerShell/Admin Circular 15728640 730 Microsoft-Windows-PowerShell/Operational Circular 1052672 0 Microsoft-Windows-PrintBRM/Admin Circular 1052672 1 Microsoft-Windows-PrintService/Admin Circular 1052672 Microsoft-Windows-PrintService/Operational Circular 1052672 0 Microsoft-Windows-PriResources-Deployment/Operational Circular 1052672 Microsoft-Windows-Program-Compatibility-Assistant/Analytic Circular 1052672 0 Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade Circular 1052672 Microsoft-Windows-Proximity-Common/Diagnostic Circular 1052672 0 Microsoft-Windows-PushNotification-Platform/Admin Circular 1052672 1674 Microsoft-Windows-PushNotification-Platform/Operational Circular 1052672 Microsoft-Windows-RasAgileVpn/Operational Circular 1052672 0 Microsoft-Windows-ReadyBoost/Operational Circular 1052672 0 Microsoft-Windows-ReFS/Operational Circular 1052672 0 Microsoft-Windows-Regsvr32/Operational Circular 1052672 0 Microsoft-Windows-RemoteApp and Desktop Connections/Admin Circular 1052672 0 Microsoft-Windows-RemoteApp and Desktop Connections/Operational Circular 1052672 0 Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin Circular 1052672 1186 Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Circular 1052672 0 Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin Circular 1052672 0 Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational Circular 1052672 Microsoft-Windows-Remotefs-Rdbss/Operational Circular 1052672 21 Microsoft-Windows-Resource-Exhaustion-Detector/Operational Circular 1052672 3 Microsoft-Windows-Resource-Exhaustion-Resolver/Operational Circular 1052672 0 Microsoft-Windows-RestartManager/Operational Circular 1052672 Microsoft-Windows-RRAS/Operational Circular 1052672 0 Microsoft-Windows-SearchUI/Operational Circular 1052672 0 Microsoft-Windows-Security-Adminless/Operational Circular 1052672 0 Microsoft-Windows-Security-Audit-Configuration-Client/Operational Circular 1052672 0 Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational Circular 1052672 Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational Circular 1052672 Microsoft-Windows-Security-IdentityListener/Operational Circular 1052672 0 Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational Circular 1052672 121 Microsoft-Windows-Security-Mitigations/KernelMode Circular 1052672 0 Microsoft-Windows-Security-Mitigations/UserMode Circular 1052672 0 Microsoft-Windows-Security-Netlogon/Operational Circular 1052672 0 Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational Circular 1052672 27 Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter Circular 1052672 0 Microsoft-Windows-Security-UserConsentVerifier/Audit Circular 1052672 Microsoft-Windows-SecurityMitigationsBroker/Admin Circular 1052672 0 Microsoft-Windows-SecurityMitigationsBroker/Operational Circular 1052672 0 Microsoft-Windows-SENSE/Operational Circular 1052672 0 Microsoft-Windows-SenseIR/Operational Circular 1052672 0 Microsoft-Windows-ServerManager-ConfigureSMRemoting/Operational Circular 1052672 101 Microsoft-Windows-ServerManager-DeploymentProvider/Operational Circular 1052672 114 Microsoft-Windows-ServerManager-MgmtProvider/Operational Circular 1052672 0 Microsoft-Windows-ServerManager-MultiMachine/Admin Circular 1052672 402 Microsoft-Windows-ServerManager-MultiMachine/Operational Circular 1052672 Microsoft-Windows-ServiceReportingApi/Debug Circular 1052672 0 Microsoft-Windows-SettingSync-Azure/Debug Circular 1052672 0 Microsoft-Windows-SettingSync-Azure/Operational Circular 1052672 0 Microsoft-Windows-SettingSync-OneDrive/Debug Circular 1052672 0 Microsoft-Windows-SettingSync-OneDrive/Operational Circular 1052672 60 Microsoft-Windows-SettingSync/Debug Circular 1052672 2 Microsoft-Windows-SettingSync/Operational Circular 1052672 0 Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter Circular 1052672 0 Microsoft-Windows-Shell-Core/ActionCenter Circular 1052672 683 Microsoft-Windows-Shell-Core/AppDefaults Circular 1052672 0 Microsoft-Windows-Shell-Core/LogonTasksChannel Circular 1052672 1507 Microsoft-Windows-Shell-Core/Operational Circular 1052672 164 Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational Circular 1052672 0 Microsoft-Windows-SilProvider/Operational Circular 1052672 0 Microsoft-Windows-SmartCard-Audit/Authentication Circular 1052672 6 Microsoft-Windows-SmartCard-DeviceEnum/Operational Circular 1052672 0 Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin Circular 1052672 0 Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational Circular 1052672 Microsoft-Windows-SmartScreen/Debug Circular 8388608 0 Microsoft-Windows-SmbClient/Audit Circular 8388608 78 Microsoft-Windows-SmbClient/Connectivity Circular 8388608 0 Microsoft-Windows-SMBClient/Operational Circular 8388608 0 Microsoft-Windows-SmbClient/Security Circular 1052672 0 Microsoft-Windows-SMBDirect/Admin Circular 8388608 0 Microsoft-Windows-SMBServer/Audit Circular 8388608 0 Microsoft-Windows-SMBServer/Connectivity Circular 8388608 70 Microsoft-Windows-SMBServer/Operational Circular 8388608 0 Microsoft-Windows-SMBServer/Security Circular 1052672 1 Microsoft-Windows-SMBWitnessClient/Admin Circular 1052672 0 Microsoft-Windows-SMBWitnessClient/Informational Circular 5242880 212 Microsoft-Windows-StateRepository/Operational Circular 1052672 0 Microsoft-Windows-StateRepository/Restricted Circular 1052672 Microsoft-Windows-Storage-ATAPort/Admin Circular 1052672 Microsoft-Windows-Storage-ATAPort/Operational Circular 1052672 Microsoft-Windows-Storage-ClassPnP/Admin Circular 6291456 640 Microsoft-Windows-Storage-ClassPnP/Operational Circular 1052672 Microsoft-Windows-Storage-Disk/Admin Circular 1052672 Microsoft-Windows-Storage-Disk/Operational Circular 1052672 Microsoft-Windows-Storage-Storport/Admin Circular 6291456 206 Microsoft-Windows-Storage-Storport/Health Circular 6291456 262 Microsoft-Windows-Storage-Storport/Operational Circular 1052672 0 Microsoft-Windows-Storage-Tiering/Admin Circular 1052672 0 Microsoft-Windows-StorageManagement/Operational Circular 16777216 0 Microsoft-Windows-StorageSpaces-Driver/Diagnostic Circular 1052672 0 Microsoft-Windows-StorageSpaces-Driver/Operational Circular 1052672 0 Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Circular 16777216 0 Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Circular 1052672 0 Microsoft-Windows-StorageSpaces-SpaceManager/Operational Circular 20000000 2413 Microsoft-Windows-Store/Operational Circular 314572800 8261 Microsoft-Windows-SystemDataArchiver/Diagnostic Circular 1052672 0 Microsoft-Windows-SystemSettingsThreshold/Operational Circular 1052672 109 Microsoft-Windows-TaskScheduler/Maintenance Circular 10485760 Microsoft-Windows-TaskScheduler/Operational Circular 1052672 0 Microsoft-Windows-TCPIP/Operational Circular 1052672 0 Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Circular 1052672 0 Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Circular 1052672 0 Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Circular 1052672 143 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Circular 1052672 0 Microsoft-Windows-TerminalServices-PnPDevices/Admin Circular 1052672 0 Microsoft-Windows-TerminalServices-PnPDevices/Operational Circular 1052672 6 Microsoft-Windows-TerminalServices-Printers/Admin Circular 1052672 0 Microsoft-Windows-TerminalServices-Printers/Operational Circular 1052672 0 Microsoft-Windows-TerminalServices-RDPClient/Operational Circular 1052672 6 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Circular 1052672 77 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Circular 1052672 0 Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin Circular 1052672 0 Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational Circular 1052672 0 Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin Circular 1052672 0 Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational Circular 1052672 0 Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational Circular 1052672 654 Microsoft-Windows-Time-Service/Operational Circular 1052672 4 Microsoft-Windows-TWinUI/Operational Circular 1052672 8 Microsoft-Windows-TZSync/Operational Circular 1052672 0 Microsoft-Windows-TZUtil/Operational Circular 1052672 0 Microsoft-Windows-UAC-FileVirtualization/Operational Circular 1052672 0 Microsoft-Windows-UAC/Operational Circular 1052672 315 Microsoft-Windows-UniversalTelemetryClient/Operational Circular 1052672 0 Microsoft-Windows-User Control Panel/Operational Circular 1052672 53 Microsoft-Windows-User Device Registration/Admin Circular 4194304 116 Microsoft-Windows-User Profile Service/Operational Circular 1052672 0 Microsoft-Windows-User-Loader/Operational Circular 1052672 0 Microsoft-Windows-UserPnp/ActionCenter Circular 1052672 22 Microsoft-Windows-UserPnp/DeviceInstall Circular 1052672 0 Microsoft-Windows-VDRVROOT/Operational Circular 1052672 0 Microsoft-Windows-VerifyHardwareSecurity/Admin Circular 1052672 Microsoft-Windows-VerifyHardwareSecurity/Operational Circular 1052672 0 Microsoft-Windows-VHDMP-Operational Circular 1052672 0 Microsoft-Windows-Volume/Diagnostic Circular 1052672 64 Microsoft-Windows-VolumeSnapshot-Driver/Operational Circular 1052672 0 Microsoft-Windows-VPN-Client/Operational Circular 1052672 0 Microsoft-Windows-VPN/Operational Circular 1052672 152 Microsoft-Windows-Wcmsvc/Operational Circular 1052672 Microsoft-Windows-WebAuth/Operational Circular 5242880 27 Microsoft-Windows-WebAuthN/Operational Circular 1052672 Microsoft-Windows-WebIO-NDF/Diagnostic Circular 1052672 Microsoft-Windows-WEPHOSTSVC/Operational Circular 1052672 0 Microsoft-Windows-WER-PayloadHealth/Operational Circular 1052672 0 Microsoft-Windows-WFP/Operational Circular 1052672 80 Microsoft-Windows-Win32k/Operational Circular 1052672 446 Microsoft-Windows-Windows Defender/Operational Circular 1052672 0 Microsoft-Windows-Windows Defender/WHC Circular 1052672 0 Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity Circular 1052672 Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurit... Circular 1052672 356 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Circular 1052672 16 Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics Circular 1052672 Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose Circular 1052672 Microsoft-Windows-WindowsColorSystem/Operational Circular 1052672 83 Microsoft-Windows-WindowsSystemAssessmentTool/Operational Circular 1052672 Microsoft-Windows-WindowsUIImmersive/Operational Circular 1052672 71 Microsoft-Windows-WindowsUpdateClient/Operational Circular 1052672 Microsoft-Windows-WinHTTP-NDF/Diagnostic Circular 1052672 Microsoft-Windows-WinINet-Capture/Analytic Circular 1052672 0 Microsoft-Windows-WinINet-Config/ProxyConfigChanged Circular 1052672 638 Microsoft-Windows-Winlogon/Operational Circular 1052672 Microsoft-Windows-WinNat/Oper Circular 1052672 128 Microsoft-Windows-WinRM/Operational Circular 1052672 Microsoft-Windows-Winsock-AFD/Operational Circular 1052672 Microsoft-Windows-Winsock-NameResolution/Operational Circular 1052672 0 Microsoft-Windows-Winsock-WS2HELP/Operational Circular 1052672 0 Microsoft-Windows-Wired-AutoConfig/Operational Circular 1052672 1276 Microsoft-Windows-WMI-Activity/Operational Circular 1052672 0 Microsoft-Windows-WMPNSS-Service/Operational Circular 1052672 Microsoft-Windows-Wordpad/Admin Circular 1052672 0 Microsoft-Windows-Workplace Join/Admin Circular 1052672 0 Microsoft-Windows-WPD-ClassInstaller/Operational Circular 1052672 0 Microsoft-Windows-WPD-CompositeClassDriver/Operational Circular 1052672 0 Microsoft-Windows-WPD-MTPClassDriver/Operational Circular 1052672 Network Isolation Operational Circular 1052672 0 OpenSSH/Admin Circular 1052672 0 OpenSSH/Operational Circular 1052672 10 Setup Circular 1052672 0 SMSApi Circular 1052672 Windows Networking Vpn Plugin Platform/Operational Circular 1052672 Windows Networking Vpn Plugin Platform/OperationalVerbose

Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH? OpenSSH/Admin,OpenSSH/Operational

PS C:\Users\Administrator> Get-WinEvent -ListProvider *Powershell* Name : PowerShell LogLinks : {Windows PowerShell} Opcodes : {} Tasks : {Engine Health , Command Health , Provider Health , Engine Lifecycle ...} Name : Microsoft-Windows-PowerShell LogLinks : {Microsoft-Windows-PowerShell/Operational, Microsoft-Windows-PowerShell/Analytic, Microsoft-Windows-PowerShell/Debug, Microsoft-Windows-PowerShell/Admin} Opcodes : {win:Start, win:Stop, Open, Close...} Tasks : {CreateRunspace, ExecuteCommand, Serialization, Powershell-Console-Startup...} Name : Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager LogLinks : {Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational, Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic, Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug} Opcodes : {} Tasks : {FileDownloadManagerDownload, FileDownloadManagerValidate}

Execute the command from Example 8. Instead of the string Policy search for PowerShell. What is the name of the 3rd log provider? Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager

PS C:\Users\Administrator> (Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events | Format-Table Id, Description Id Description -- ----------- 4097 Computer Name $null or . resolve to LocalHost 4098 Resolving to default scheme http 4099 Remote shell name resolved to default Microsoft.PowerShell 4100 %3... 4101 %3... 4102 %3... 4103 %3... 4104 Creating Scriptblock text (%1 of %2):... 4105 Started invocation of ScriptBlock ID: %1... 4106 Completed invocation of ScriptBlock ID: %1... 7937 %3... 7938 %3... 7939 %3... 7940 %3... 7941 Correlating activity id's. ... 7942 Class Name = %1... 8193 Creating Runspace object ... 8194 Creating RunspacePool object ... 8195 Opening RunspacePool 8196 Modifying activity Id and correlating 8197 Runspace state changed to %1 8198 Attempting session creation retry %1 for error code %2 on session Id %3 12033 Port resolved to %1 12034 AppName resolved to %1 12035 ComputerName resolved to %1 12036 Scheme is %1 12037 Test analytic message 12038 Connection Paramters are ... 12039 Modifying activity Id and correlating 24577 Windows PowerShell ISE has started to run script file %1. 24578 Windows PowerShell ISE has started to run a user-selected script from file %1. 24579 Windows PowerShell ISE is stopping the current command. 24580 Windows PowerShell ISE is resuming the debugger. 24581 Windows PowerShell ISE is stopping the debugger. 24582 Windows PowerShell ISE is stepping into debugging. 24583 Windows PowerShell ISE is stepping over debugging. 24584 Windows PowerShell ISE is stepping out of debugging. 24592 Windows PowerShell ISE is enabling all breakpoints. 24593 Windows PowerShell ISE is disabling all breakpoints. 24594 Windows PowerShell ISE is removing all breakpoints. 24595 Windows PowerShell ISE is setting the breakpoint at line #: %1 of file %2. 24596 Windows PowerShell ISE is removing the breakpoint on line #: %1 of file %2. 24597 Windows PowerShell ISE is enabling the breakpoint on line #: %1 of file %2. 24598 Windows PowerShell ISE is disabling the breakpoint on line #: %1 of file %2. 24599 Windows PowerShell ISE has hit a breakpoint on line #: %1 of file %2. 28673 Successfully rehydrated an object. ... 28674 Failed to rehydrated an object. ... 28675 Serialization depth has been overriden. ... 28676 Serialization mode has been overriden. ... 28677 Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the... 28678 Serialization of a property has been skipped, because property getter failed. ... 28679 Serialization of an enumerable object might not be complete, because object being enumerated threw an exceptio... 28680 Serialization called object's ToString method which failed. ... 28682 Maximum depth below top level has been reached, forcing object to be serialized as strings. ... 28683 XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format). ... 28684 Serialization of specified properties failed, because one of the specified properties was missing. ... 32769 Received object with Runspace Id: %1 Command Id: %2 Destination: %3 DataType: %4 TargetInterface: %5 32775 An unhandled exception occurred in the appdomain. ... 32776 Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. ... 32777 An unhandled exception occurred in the appdomain. ... 32784 Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. ... 32785 Runspace Id %1. Establishing a connection using WSMan Create Shell 32786 Runspace Id %1. Callback received for WSMan Create Shell 32787 Runspace Id: %1. Closing shell using WSManCloseShell 32788 Runspace Id: %1. Callback received for WSManCloseShell 32789 Runspace Id: %1 Pipeline Id: %2. Sending data of size %3 32790 Runspace Id: %1 Pipeline Id: %2. Callback received for WSManSendShellInputEx 32791 Runspace Id: %1 Pipeline Id: %2. Placing Receive request using WSManReceiveShellOutputEx 32792 Runspace Id: %1 Pipeline Id: %2. Received Data of size %3. 32793 Runspace Id %1 Pipeline Id %2. Establishing a command connection using WSManRunShellCommandEx 32800 Runspace Id %1 Pipeline Id %2. Callback received for command connection 32801 Runspace Id: %1 Pipeline Id %2. Closing transport for command 32802 Runspace Id: %1 Pipeline Id %2. Callback received for command close 32803 Runspace Id: %1 Pipeline Id %2. Sending signal with code %3 using WSManSignalShellEx 32804 Runspace Id: %1 Pipeline Id %2. Callback received for WSManSignalShellEx 32805 Runspace Id: %1. Connection is getting redirected to Uri: %2 32849 Runspace Id: %1 Pipeline Id: %2. Server is sending data of size %3 to client. DataType: %4 TargetInterface: %5 32850 Request %1. Creating a server remote session. UserName: %2 Custome Shell Id: %3 32851 Reporting context for request: %1 Context Reported: %1 32852 Reporting operation complete for request: %1 ... 32853 Shell Context %1. Request Id %2. Creating a commonad session for running a command. 32854 Shell Context %1 Command Context %2 Request Id %3. Stopping command. 32855 Shell Context %1 Command Context %2 Request Id %3. Received data from client. 32856 Shell Context %1 Command Context %2 Request Id %3. Client sent a receive request so that server can send data. 32857 Shell Context %1 Command Context %2 IsReceiveOperation %3. Got close operation request. 32865 Loading assembly %1 for custom shell with shell Id %2 32866 Loading type %1 for custom shell with shell Id %2 32867 Received remoting fragment. ... 32868 Sent remoting fragment. ... 32869 Shutting down winrm service. 40961 PowerShell console is starting up 40962 PowerShell console is ready for user input 45057 Tracing ErrorRecord: ... 45058 Exception: ... 45059 Tracing PSObject 45060 Tracing Job: ... 45061 Trace Information: ... 45062 Connection Paramters are ... 45063 Workflow plugin loaded. ... 45064 Workflow execution started. ... 45065 Workflow state changed. ... 45072 Workflow plugin has been requested for a shutdown. ... 45073 Workflow plugin restarted. ... 45074 Workflow is resuming. ... 45075 A quota limit that was set for the endpoint was exceeded. ... 45076 Workflow has resumed. ... 45078 Workflow runspace pool was created. ... 45079 Activity was queued for execution. ... 45080 Activity execution started. ... 45081 Workflow is being imported from a XAML file. ... 45082 Workflow has been imported from a XAML file. ... 45083 Workflow could not be imported from a XAML file because of an error. ... 45084 Workflow validation started. ... 45085 Workflow validation succeeded. ... 45086 Workflow validation failed with error. ... 45087 Workflow activity validated. ... 45088 Workflow activity could not be validated. ... 45089 Activity execution failed. ... 45090 Runspace availability changed. ... 45091 Runspace state changed. ... 45092 Workflow loaded for execution. ... 45093 Workflow unloaded. ... 45094 Workflow execution cancelled. ... 45095 Workflow execution aborted. ... 45096 Workflow cleanup operation executed. ... 45097 Persisted workflow loaded from disk. ... 45098 Workflow data was deleted from disk. ... 45100 Starting remove job. ... 45101 Job state changed. ... 45102 Job error. ... 45104 Job created for workflow (child job). ... 45105 Parent job created for workflow. ... 45106 All required jobs were created for workflow execution. ... 45107 Child job removed for workflow. ... 45108 An error occurred while removing job. ... 45109 Loading workflow for execution. ... 45110 Workflow execution finished. ... 45111 Cancelling workflow execution. ... 45112 Aborting workflow execution. ... 45113 Unloading workflow. ... 45114 Forced workflow shutdown started. ... 45115 Forced workflow shutdown finished. ... 45116 An error occurred while forcefully shutting down a workflow. ... 45117 Persisting workflow to disk. ... 45118 Workflow persisted to disk. ... 45119 Activity execution finished. ... 45120 Workflow execution error. ... 45121 A new PowerShell endpoint was registered. ... 45122 Endpoint configuration modified. ... 45123 Endpoint configuration unregistered. ... 45124 Endpoint configuration disabled. ... 45125 Endpoint configuration enabled. ... 45126 Out of process runspace started. ... 45127 Parameter splatting was performed during workflow execution. ... 45128 Workflow engine started. ... 45129 Workflow manager instantiated with ... 46337 BEGIN ImportWorkflowCommand::StartWorkflowApplication. Starting invocation of workflow function. Tracking Guid %1 46338 END ImportWorkflowCommand::StartWorkflowApplication. Ending invocation of workflow function. Tracking Guid %1 46339 BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid %1 46340 END Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid %1 46341 END Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid %1 : ContainerParentJob... 46342 BEGIN JobLogic ContainerParentJob Guid %1 46343 END JobLogic ContainerParentJob Guid %1 46344 BEGIN WorkflowExecution ContainerParentJob Guid %1 46345 END WorkflowExecution ContainerParentJob Guid %1 46346 WorkflowJob with Guid %1 added to ContainerParentJob with Guid %2 46347 ProxyJob with Guid %1 associated with remote ContainerParentJob with Guid %2 46348 BEGIN Execution of ContainerParentJob with Guid %1 46349 END Execution of ContainerParentJob with Guid %1 46350 BEGIN Execution of Proxy Job with Guid %1 46351 END Execution of Proxy Job with Guid %1 46352 BEGIN StateChanged event handler for Proxy Job with Guid %1 46353 END StateChanged event handler for Proxy Job with Guid %1 46354 BEGIN StateChanged event handler for Proxy Child Job with Guid %1 46355 END StateChanged event handler for Proxy Child Job with Guid %1 46356 BEGIN Running garbage collection 46357 END Running garbage collection 46358 Persistence store has reached its maximum specified size 49152 %1 49153 Trace Information: ... 53249 Scheduled Job %1 started at %2 ... 53250 Scheduled Job %1 completed at %2 with state %3 ... 53251 Scheduled Job Exception %1: ... 53504 Windows PowerShell has started an IPC listening thread on process: %1 in AppDomain: %2. 53505 Windows PowerShell has ended an IPC listening thread on process: %1 in AppDomain: %2. 53506 An error has occurred in Windows PowerShell IPC listening thread on process: %1 in AppDomain: %2. Error Messa... 53507 Windows PowerShell IPC connect on process: %1 in AppDomain: %2 for User: %3. 53508 Windows PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3. PS C:\Users\Administrator> (Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events | Format-Table Id, Description | Measure-Object Count : 192 Average : Sum : Maximum : Minimum : Property :

Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider? 192

How do you specify the number of events to display? -MaxEvents

When using the FilterHashtable parameter and filtering by level, what is the value for Informational? 4

XPath Queries

Now we will examine filtering events with XPath.

The W3C created XPath (or XML Path Language). The Windows Event Log supports a subset of XPath 1.0.

Below is an example XPath query along with its explanation:

Based on the docs.microsoft.com, an XPath event query starts with '*' or 'Event'.

The above screenshot confirms this. But how do we construct the rest of the query? Luckily the Event Viewer can help us with that.

Let's create an XPath query for the same event from the previous section. Note that both wevtutil and Get-WinEvent support XPath queries as event filters.

Draw your attention to the bottom half of the middle pane. In the Event Viewer section, the Details tab was briefly touched on. Now you're going to see how the information in this section can be of use.

Click on the Details tab and select the XML View radio button. Don't worry if the details of the log you are viewing are slightly different. The point is to understand how to use the XML View to construct a valid XPath query.

The first tag is the starting point. This can either be an * or the word Event.

The command so far looks like this: Get-WinEvent -LogName Application -FilterXPath '*'

Now we work our way down the XML tree. The next tag is System.

Let's add that. Now our command is: Get-WinEvent -LogName Application -FilterXPath '*/System/'

Note: Its best practice to explicitly use the keyword System but you can use an * instead as with the Event keyword. The query -FilterXPath '/' is still valid.

The Event ID is 100. Let's plug that into the command.

Our command now is: Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=100'

Below is a screenshot of using wevtutil.exe and XPath to query for the same event log and ID.

Note: 2 additional parameters were used in the above command. This was done to retrieve just 1 event and for it not to contain any XML tags.

If you want to query on a different element, such as Provider Name, the syntax will be different. To filter on the provider, we need to use the Name attribute of Provider.

The XPath query is:

Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"]'

What if you want to combine 2 queries? Is this possible? The answer is yes.

Let's build this query based on the screenshot above. The Provider Name is WLMS, and based on the output; there are 2 Event IDs.

This time we only want to query for events with Event ID 101.

The XPath query would be Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'

Lastly, let's discuss how to create XPath queries for elements within EventData. The query will be slightly different.

Note: The EventData element doesn't always contain information.

Below is the XML View of the event for which we will build our XPath query.

We will build the query for TargetUserName. In this case, that will be System.

The XPath query would be Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'

Note: The -MaxEvents parameter was used, and it was set to 1. This will return just 1 event.

At this point, you have enough knowledge to create XPath queries for wevtutil.exe or Get-WinEvent.

To further this knowledge, I suggest reading the official Microsoft XPath Reference docs.microsoft.com.

Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z? Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@Name="SystemTime"]="2020-12-15T01:09:08.940277500Z"'

Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720? Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720'

PS C:\Users\Administrator> Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720' ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 12/17/2020 1:57:14 PM 4720 Information A user account was created.... 12/17/2020 1:56:58 PM 4720 Information A user account was created....

Based on the previous query, how many results are returned? 2

Based on the output from the question #2, what is Message? A user account was created

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM]) 12/17/2020 1:57:14 PM

What is the Provider Name? Microsoft-Windows-Security-Auditing

Event IDs

When it comes to monitoring and hunting, you need to know what you are looking for. There are a large number of event IDs in use. This section is aimed to assist you with this task. There are plenty of blogs, writeups, etc., on this topic. A few resources will be shared in this section. Please note this is not an exhaustive list.

First on the list is The Windows Logging Cheat Sheet (Windows 7 - Windows 2012). The last version update is October 2016, but it's still a good resource. The document covers a few things that need to be enabled and configured and what event IDs to look for based on different categories, such as Accounts, Processes, Log Clear, etc.

Above is a snippet from the cheatsheet. Want to detect if a new service was installed? Look for Event ID 7045 within the System Log.

Next is Spotting the Adversary with Windows Event Log Monitoring. This NSA resource is a bit outdated as well but good enough to build upon your foundation. The document covers some concepts touched on in this room and beyond. You must click on Get File to download the resource.

Above is a snippet from the document. Maybe you want to monitor if a firewall rule was deleted from the host. That is Event ID 2006/2033.

Where else can we get a list of event IDs to monitor/hunt for? MITRE ATT&CK!

If you are not familiar with MITRE and/or MITRE ATT&CK, I suggest you check out the MITRE Room.

Let's look at ATT&CK ID T1098 (Account Manipulation). Each ATT&CK ID will contain a section sharing tips to mitigate the technique, along with detection tips.

The last 2 resources are from Microsoft:

Events to Monitor (Best Practices for Securing Active Directory) The Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference (a comprehensive list [over 700 pages])

Note: Some events will not be generated by default, and certain features will need to be enabled/configured on the endpoint, such as PowerShell logging. This feature can be enabled via Group Policy or the Registry.

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

Some resources to provide more information about enabling this feature, along with its associated event IDs:

About Logging Windows Greater Visibility Through PowerShell Logging Configure PowerShell logging to see PowerShell anomalies in Splunk UBA

Another feature to enable/configure is Audit Process Creation, which will generate event ID 4688. This will enable command-line process auditing. This setting is NOT enabled in the virtual machine but feel free to enable it and observe the events generated after executing some commands.

Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation

To read more about this feature, refer to docs.microsoft.com. The steps to test the configuration is at the bottom of the document.

To conclude this section, it will be reiterated that this is not an exhaustive list. There are countless blogs, writeups, threat intel reports, etc., on this topic.

To effectively monitor and detect, you need to know what to look for (as mentioned earlier).

I'm ready to look at some event logs... No answer needed

Putting theory into practice

Note: To successfully answer the questions below, you may need to search online for more information.

The next scenarios/questions are based on the external event log file titled merged.evtx found on the Desktop. You can use any of the aforementioned tools to answer the questions below.

Scenario 1 (Questions 1 & 2): The server admins have made numerous complaints to Management regarding PowerShell being blocked in the environment. Management finally approved the usage of PowerShell within the environment. Visibility is now needed to ensure there are no gaps in coverage. You researched this topic: what logs to look at, what event IDs to monitor, etc. You enabled PowerShell logging on a test machine and had a colleague execute various commands.

Scenario 2 (Questions 3 & 4): The Security Team is using Event Logs more. They want to ensure they can monitor if event logs are cleared. You assigned a colleague to execute this action.

Scenario 3 (Questions 5, 6 & 7): The threat intel team shared its research on Emotet. They advised searching for event ID 4104 and the text "ScriptBlockText" within the EventData element. Find the encoded PowerShell payload.

Scenario 4 (Questions 8 & 9): A report came in that an intern was suspected of running unusual commands on her machine, such as enumerating members of the Administrators group. A senior analyst suggested searching for "C:\Windows\System32\net1.exe". Confirm the suspicion.

What event ID is to detect a PowerShell downgrade attack? (https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/) 400

PS C:\Users\Administrator> Get-WinEvent -Path C:\Users\Administrator\Desktop\merged.evtx -FilterXPath '*/System/EventID=400' ProviderName: PowerShell TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 12/18/2020 7:50:33 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:48:45 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:48:45 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:48:43 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:48:42 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:43:49 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:43:28 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:43:28 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:42:45 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:42:45 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:42:29 AM 400 Information Engine state is changed from None to Available. ... 12/18/2020 7:42:29 AM 400 Information Engine state is changed from None to Available. ... 12/17/2020 2:02:34 PM 400 Information Engine state is changed from None to Available. ... 12/17/2020 12:21:17 PM 400 Information Engine state is changed from None to Available. ... 12/17/2020 12:20:57 PM 400 Information Engine state is changed from None to Available. ... 12/16/2020 4:46:39 PM 400 Information Engine state is changed from None to Available. ... 12/16/2020 8:01:00 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 8:01:00 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 8:01:00 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 8:00:41 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 7:40:39 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 7:40:30 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 7:40:29 AM 400 Information Engine state is changed from None to Available. ... 12/16/2020 7:30:43 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:47:02 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:46:51 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:41:51 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:41:42 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:41:35 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:41:14 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:20 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:27:15 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:26:55 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:26:11 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:26:01 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:25:09 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 8:24:47 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:43 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:43 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:43 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:43 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:43 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:38 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:36 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:35 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:35 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:34 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:52:17 AM 400 Information Engine state is changed from None to Available. ... 12/15/2020 7:49:43 AM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:33 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:32 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:31 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:20:30 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 6:19:55 PM 400 Information Engine state is changed from None to Available. ... 12/14/2020 3:37:24 PM 400 Information Engine state is changed from None to Available. ... 12/13/2020 12:50:05 AM 400 Information Engine state is changed from None to Available. ... 12/13/2020 12:49:03 AM 400 Information Engine state is changed from None to Available. ... 12/11/2020 6:39:04 PM 400 Information Engine state is changed from None to Available. ... 12/10/2020 10:37:57 AM 400 Information Engine state is changed from None to Available. ... 12/10/2020 10:33:16 AM 400 Information Engine state is changed from None to Available. ... 12/8/2020 11:05:02 AM 400 Information Engine state is changed from None to Available. ...

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM]) 12/18/2020 7:50:33 AM

A Log clear event was recorded. What is the 'Event Record ID'? (104) 27736

What is the name of the computer? PC01.example.corp ![[Pasted image 20220904223332.png]]

What is the name of the first variable within the PowerShell command $Va5w3n8

![[Pasted image 20220904224923.png]] What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM]) 8/25/2020 10:09:28 PM

PS C:\Users\Administrator> Get-WinEvent -Path C:\Users\Administrator\Desktop\merged.evtx -FilterXPath "*/System/EventID=4104 and */EventData/Data[@Name='scriptblocktext']" ProviderName: Microsoft-Windows-PowerShell TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 12/18/2020 7:50:08 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:56 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:56 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Warning Creating Scriptblock text (4 of 4):... 12/18/2020 7:48:45 AM 4104 Warning Creating Scriptblock text (3 of 4):... 12/18/2020 7:48:45 AM 4104 Warning Creating Scriptblock text (2 of 4):... 12/18/2020 7:48:45 AM 4104 Warning Creating Scriptblock text (1 of 4):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:48:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:44:31 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:44:02 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:44:02 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:52 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:49 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:43:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/18/2020 7:42:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:04:26 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:04:26 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:56 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:55 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 2:02:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 1:53:40 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 1:53:40 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 1:36:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 1:36:34 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 1:36:25 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 1:36:16 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:56:12 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:56:11 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:37:51 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:37:51 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:50 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:47 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:47 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:47 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:47 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:46 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:46 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:46 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:28:46 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:26:43 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:26:43 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:22:25 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:22:25 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:21:17 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/17/2020 12:20:57 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:55:53 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:55:53 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 4:46:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 3:50:00 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 3:50:00 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 9:47:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 9:47:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 9:46:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 9:46:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 9:46:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:05:12 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:05:12 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:01:00 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:41 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:31 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 8:00:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:56:50 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:56:49 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:56:49 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:40 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:40 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:40 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:55:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:43:58 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:43:58 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:57 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:39 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:30 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:29 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:28 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:40:27 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:38:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:38:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:34:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:34:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:30:45 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:30:44 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/16/2020 7:30:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:47:03 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:47:02 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:46:51 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:46:51 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:46:51 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:46:51 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:46:51 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:53 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:51 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:42 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:42 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:42 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:42 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:42 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:36 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:36 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:19 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:41:14 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:29:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:29:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:29:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:29:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:49 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:49 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:27:15 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:55 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:19 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:19 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:11 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:26:01 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:13 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:13 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:25:09 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:59 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:59 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:47 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:24:20 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:23:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:23:06 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:04:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:04:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:04:31 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 8:04:31 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:42 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:38 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:38 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:38 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:38 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:38 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:36 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:36 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:36 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:36 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:35 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:34 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:31 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:52:17 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:49:46 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:49:46 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/15/2020 7:49:43 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:40 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:40 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:33 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:32 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:31 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:30 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:22 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:22 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:06 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:20:06 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 6:19:55 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 4:33:46 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 4:33:46 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:43:18 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:43:18 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:43:09 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:43:09 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:50 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:49 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:40 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:39 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:26 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:25 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/14/2020 3:37:24 PM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:50:05 AM 4104 Warning Creating Scriptblock text (1 of 1):... 12/13/2020 12:49:25 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:49:25 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:49:25 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:49:25 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 12/13/2020 12:49:25 AM 4104 Verbose Creating Scriptblock text (1 of 1):... 8/25/2020 10:09:28 PM 4104 Verbose Creating Scriptblock text (1 of 1):...

What is the Execution Process ID? (Check XML View) 6620

What is the Group Security ID of the group she enumerated? (https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799)(https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4799) ![[Pasted image 20220904230446.png]]

• S-1-5-32-544 *

What is the event ID? 4799

Conclusion

In this room, we covered Windows Event Logs, what they are, and how to query them using various tools and techniques.

We also briefly discussed various features within Windows that you need to enable/configure to log additional events to gain visibility into those processes/features that are turned off by default.

The information covered in this room will serve as a primer for future planned rooms covering Windows Internals, Sysmon, and various SIEM tools.

I'll end this room by providing additional reading material:

EVTX Attack Samples (a few were used in this room) PowerShell <3 the Blue Team Tampering with Windows Event Tracing: Background, Offense, and Defense

Hope you enjoyed this room and learned a thing or two. No answer needed

[[Sysinternals]]