Audit Your Windows Event Logs For DCOM Hardening Errors
The Windows event log contains an extreme amount of data about the computer ranging from login data to errors generated on the computer. By default, Lansweeper will scan all the error events generated by the Windows computer. Additionally, you can enable scanning other event log information. These errors can be used to both discover and resolve issues on your computers, preventing downtime.
With Microsoft forcing DCOM hardening soon, it is important to ensure that all devices, services, and applications using DCOM will continue to work without issue. Using the Windows error events 10036, 10037, 10038, problems can be identified before DCOM hardening will be forced. The audit below provides an overview of all instances of event ID 10036, 10037, 10038 in the last 7 days. Read more about the DCOM hardening changes and the effect it can have on your IT environment in our DCOM Hardening pro tips blog post.
DCOM Hardening Error Events in the last 7 days Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysOS.OSname As OS,
tblAssets.Lastseen,
tblNtlog.TimeGenerated,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblNtlog.TimeGenerated > GetDate() - 7 And (tblNtlog.Eventcode = 10036 Or
tblNtlog.Eventcode = 10037 Or tblNtlog.Eventcode = 10038 Or
tblNtlog.Eventcode = 10028) And Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End = 'Error' And tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
tblAssets.Domain