Friday, May 4, 2007


While coding an event log dumper for Windows systems. I stumbled upon a something that was, I thought, of interest to forensic examiners. I found a new (and apparently undocumented) event log - %windir%\system32\config\Internet.evt.

According to this post, and this one as well, the file shows up when Internet Explorer 7 is installed. This coorelates with the computers that I have available (that is computers with IE7 have the file, and those with IE6 do not), though I have not yet tested this to determine that this is in fact the case.

I haven't spent a lot of time looking at the structure of .evt files generally, but in my experience, they are generally readable with a hexeditor, but this is not so with the internet.evt. The windows event viewer, when opened shows this file as Internet Explorer, but it appears empty. When I turned the log viewer I was coding towards the file, however; it had some interesting artifacts.

Most notably, software installations were logged. Including (I think) software installations that were performed using Firefox. This could be very relevant when investigating intrusions where a web browser is used to download and install tools, but obviously some more testing needs to be done.

I'll post what I find in a follow-up, but to summarize:

I know Internet.evt:
  1. exists on XP with IE7 installed.
  2. does not appear to exist with pervious versions of IE.
  3. resides in the %windir%\system32\config
  4. is not visable to the windows event viewer in XP home (tested on 1 box).
I suspect the file:
  1. is created when IE7 is installed.
  2. has a file structure that differs from standard event logs.
  3. also logs internet related software installations from other browsers.
To do:
  1. test suspicions
  2. figure out what types of data are stored in the file.
  3. determine what registry entries (if any) are associated with the file.
If anyone knows anything more about this, I'd be interested in hearing from you. I couldn't find any reference on Microsoft's Technet but, we all know the schitzophrenic nature of Technet, so there might be some reference somewhere. . .


Keydet89 said...

This event log *is* created when IE7 is installed.

Bill said...

Thanks Harlan.

Andreas said...

Bill, could you please post an hexdump of the first 0x30 bytes and the registry below "HKLM\System\CurrentControlSet\Eventlog\Internet Explorer".

On my system IE7 failed to configure the log properly, resulting in a similiar effect. I can see the log in event viewer, but there's no data. Well no wonder, the event sources and file name are missing :)

Keydet89 said...

"HKLM\System\CurrentControlSet\Eventlog\Internet Explorer".

My settings are in a different location...

HKLM\System\CurrentControlSet\Services\EventLog\Internet Explorer

For me, that key only has one source (ie, "Internet Explorer") and no other entries...probably because I haven't actually used IE7 to any extent yet.

Andreas said...

Oops, typo. Harlan, you're right, I missed the "services".

Yes, there's a single source named "Internet Explorer". But again it's unconfigured. For example there's no EventMesssageFile defined.

Ryan said...

do you have the log reader available that you were coding which was able to read the internet.evt file?

Anonymous said...

The said file also appears to be in my D: drive...