Back to posts

EventRecordID: A Hidden XML Tag

Event Record ID is a hidden feature in the Windows Event Logs that serves to further enrich the information of logs.

The Event Record ID

The Event Record ID should not be confused with the Event ID. Event IDs are the identifying numbers that we talk about on W2L and categorizes each log into the event that occurred. Event Record IDs are a sequential number that is applied to each log to keep track of which order they were generated in. They are applied to every single log that is generated by the Windows The counting starts at 1 and goes sequentially up from there, and is tracked individually in each log file. This means that the System log and Security log may both have an event that has the event record ID of 5, but they will be different events.

Why use it?

Event record ID's can server as a sort of backup identifier to determine the true order of events. In cases where the event log has been modified and the dates or times of a log may have been changed, you can still see what logs happened in order. This is particularly helpful for event correlation, as you can see the events in a sequence even if they have been tampered with.

Hidden Information

I mentioned earlier that this was a hidden feature in the event log. When looking at each event, I expected to see this number readily displayed, but it wasn't. Even if you go into the Details tab (in "Friendly View"), this isn't displayed. It's not until you view the log in XML view that you can actually see this tag. The same is true of trying to view this log in the command line via wevtutil. If you view the log with the "/f:text" modifier, the information is not shown there, but if that modifier is removed, then you can find the event record ID in the XML data (although it is a little harder to find, as the data in this format is less formatted and more of a chunk of text). I can't help but wonder why this tag is not shown natively, as it can be helpful, especially as a backup.

In Conclusion

I think this tag stands to show that there is a wealth of further information that we can garner from event logs if we look at them a bit deeper. For example, in the screenshot above, there is a Correlation Activity ID. This is another piece of information that is hidden in the log XML data, but could serve to guide an audit or investigation. I also thinks this shows how cool logs are, as these are often generated so fast, but hold so much information and can be so incredibly helpful and there's sometimes more information than meets the eye.