(for Windows NT 4.0 / 2000)
WinZapper lets you erase event records selectively from the Security Log in Windows NT 4.0 and Windows 2000.
Download the zip file and extract the files in it. Run winzapper.exe and mark the event records to be deleted, then press "Delete events and Exit". Next, reboot Windows to re-enable the event logging system. (You can't use the Event Viewer again before rebooting.)
There is a small risk that this program corrupts the event logs so they must be cleared completely.
Q: How do I select more than one event record?
A: To select a number of event records in a row, click on the first event record's type and then press Shift. Keep holding Shift down and click on the last event record's type. To mark many event records that are separate, click on the first one and press Ctrl. Keep holding Ctrl down and click on the other records one by one.
Q: Can WinZapper be used remotely?
A: No, except if you are able to log on to the target system with for example PCAnywhere or Terminal Server Client. It would be trivial to divide WinZapper into two parts, a server part to be run on the target system, and a client part to be run on the attackers system. However I have decided not to do so and instead left that as an excercise for all the script kiddiez out there. ;-)
Q: What kind of account do I need to run WinZapper?
A: You need an account in the Administrators group.
Q: Why can't I delete without exiting?
A: Because I'm too lazy to write that code.
Q: I can't access the event logs from the Event Viewer after running WinZapper. What's wrong?
A: Most likely you forgot rebooting the system when you were done.
Q: When I click "Delete events and Exit" the CPU load raises to 100% for several seconds, or even minutes. Why?
A: This can happen if you choose do delete a large/very large number of event records. The load comes from rearranging a large number of event records (the process of doing this is far from optimized in this version of WinZapper).
Q: When I start WinZapper it seems like nothing happens. What's the problem?
A: Either there is a very large number of event records so it will take a long time to load them all, or the log is empty to begin with. Or, there is a bug in WinZapper...
Q: After running WinZapper and rebooting the system, the Event Viewer tells me that the event logs are corrupted. Why, and what do I do now?
A: This can happen in a few cases. First of all - WinZapper is only a "proof of concept" tool, it is not intended to be perfect in any way. Second, because of the way it accesses the event logs it may interrupt the ordinary event logging system in the middle of writing to the event logs, thereby corrupting the log files. If this happens, just ask the Event Viewer to clear the logs for you, and start over again. It will not crash your entire system.
Q: What is the "dummy.dat" file that WinZapper leaves behind?
A: It's a backup of the old security log file. Script kiddie notice: see, this is why you need to read all the FAQs before running all those kewl t00lz out there. ;-)
Q: Is it possible to add your own "made up" event records to the log?
A: Yes, that's possible, but I haven't added that feature becuause I think it's too nasty. ;-) You could insert completely "made up" records anywhere in the log.
Q: What's the lesson to be learned from all this?
A: That after an Administrators account compromise you can't trust the event logs. Not at all. And it's no longer only theory!
Q: I have a question that is not covered here. Where can I get help?
A: Send me
your question. I can't promise that I will have time to answer, but I'll do my best.