Enable These Windows Logs Right Now to Detect Hidden Cyber Attacks

How to Enable Every Important Windows Log Using Event Viewer: Full SOC Analyst Guide + Log Locations Cheat Sheet

Most cyberattacks do not start with ransomware.

They start quietly.

A suspicious PowerShell command. A failed login attempt at 3:17 AM. A hidden scheduled task. A malicious USB device. An attacker using Remote Desktop Protocol (RDP) from another country.

In real-world incident response cases, one of the biggest problems SOC analysts face is this:

The required Windows logs were never enabled.

That means investigators cannot trace lateral movement, malware execution, credential theft, persistence mechanisms, or privilege escalation activities. Attackers know this. Many modern threat actors specifically target organizations with weak Windows logging configurations because they understand that “no logs” often means “no evidence.”

Whether you are a SOC analyst, ethical hacker, DFIR investigator, Windows administrator, or cybersecurity student, properly enabling Windows Event Logs is one of the most important defensive steps you can take.

This guide explains how to enable every important Windows security log using Event Viewer, Group Policy, and Audit Policies. You will also get a practical Windows log locations cheat sheet used in real enterprise environments.

Table of Contents

• Why Windows Logs Matter in Cybersecurity
• What is Windows Event Viewer?
• Important Windows Log Categories
• How to Enable Security Logs
• How to Enable PowerShell Logging
• How to Enable Sysmon Logs
• How to Enable RDP and Remote Access Logs
• How to Enable Task Scheduler Logs
• How to Enable Microsoft Defender Logs
• How to Enable Windows Firewall Logs
• Windows Log Locations Cheat Sheet
• Important Windows Event IDs
• Expert SOC Analyst Tips
• FAQ
• Conclusion

Why Windows Logs Matter in Cybersecurity?

Windows Event Logs are the digital fingerprints of everything happening inside a system.

Every login, failed authentication, PowerShell execution, service creation, malware detection, USB insertion, scheduled task creation, and privilege escalation leaves traces behind.

Attackers rely on organizations ignoring these logs.

During real-world ransomware investigations, analysts commonly discover:

• PowerShell malware executed without logging enabled
• RDP brute force attempts never monitored
• Suspicious service creation events ignored
• Credential dumping activities not captured
• Windows Defender logs disabled
• Firewall logs never configured

Without logs, detection becomes guesswork.

With proper logging enabled, defenders can:

• Detect lateral movement
• Identify insider threats
• Track malware execution
• Investigate ransomware attacks
• Detect persistence mechanisms
• Monitor suspicious PowerShell activity
• Analyze failed login attempts
• Build SIEM detections

What is Windows Event Viewer?

Windows Event Viewer is a built-in Microsoft management console used to view system-generated logs.

It records events from:

• Windows Security
• Applications
• System services
• PowerShell
• Microsoft Defender
• Task Scheduler
• Windows Firewall
• Remote Desktop Services
• Sysmon

To open Event Viewer:

eventvwr.msc

What it does:
Launches the Windows Event Viewer console.

When to use it:
During threat hunting, malware analysis, log investigation, or Windows troubleshooting.

Expected output:
A console containing multiple Windows log categories and event records.

Important Windows Log Categories

Log Type	Purpose
Security Logs	Authentication, logins, privilege usage
System Logs	Driver, service, and OS activity
Application Logs	Software crashes and application events
PowerShell Logs	Script execution and command activity
Sysmon Logs	Advanced endpoint telemetry
Defender Logs	Malware detection activity
Firewall Logs	Inbound and outbound traffic events
Task Scheduler Logs	Persistence and scheduled task abuse
RDP Logs	Remote desktop activity

How to Enable Security Logs?

Security logs are critical for monitoring:

• Successful logins
• Failed login attempts
• Privilege escalation
• Account lockouts
• Credential abuse

Step 1: Open Local Security Policy

secpol.msc

What it does:
Opens Local Security Policy.

When to use it:
To configure Windows auditing policies.

Expected output:
Local Security Policy management console.

Step 2: Navigate to Audit Policies

Go to:

Security Settings → Advanced Audit Policy Configuration → Audit Policies

Enable These Critical Audit Policies

Audit Policy	Recommended Setting
Logon	Success + Failure
Account Lockout	Success
Process Creation	Success
Privilege Use	Success + Failure
Policy Change	Success + Failure
Account Management	Success + Failure
Object Access	Success + Failure

How to Enable PowerShell Logging?

Modern attackers love PowerShell because it allows fileless malware execution.

Threat actors use PowerShell for:

• Credential dumping
• Payload downloads
• Lateral movement
• Persistence
• Defense evasion

Without PowerShell logging enabled, attackers can execute malicious commands silently.

Enable PowerShell Script Block Logging

Open Group Policy Editor:

gpedit.msc

Navigate to:

Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell

Enable:

• Turn on PowerShell Script Block Logging
• Turn on Module Logging
• Turn on PowerShell Transcription

Important PowerShell Event IDs

Event ID	Description
4104	Script block logging
4103	Module logging
600	PowerShell engine startup

How to Enable Sysmon Logs?

Sysmon is one of the most powerful Windows logging tools used by SOC teams and DFIR investigators.

It provides advanced telemetry that normal Windows logs often miss.

Download Sysmon

Download Sysmon from Microsoft Sysinternals.

Install Sysmon

sysmon64.exe -i

What it does:
Installs Sysmon with default configuration.

When to use it:
To enhance Windows endpoint visibility.

Expected output:
Sysmon service installation confirmation.

Important Sysmon Event IDs

Event ID	Description
1	Process creation
3	Network connection
7	Image loaded
8	Remote thread creation
10	Process access
11	File creation
13	Registry modification
22	DNS queries

How to Enable RDP and Remote Access Logs?

RDP remains one of the most abused attack vectors in enterprise breaches.

Attackers often brute-force weak passwords and gain remote access to internal systems.

Enable RDP Logging

Navigate inside Event Viewer:

Applications and Services Logs →
Microsoft →
Windows →
TerminalServices-LocalSessionManager →
Operational

Right-click the log and select:

Enable Log

Critical RDP Event IDs

Event ID	Description
4624	Successful login
4625	Failed login
4778	Session reconnected
4779	Session disconnected
1149	RDP authentication success

How to Enable Task Scheduler Logs?

Attackers frequently use scheduled tasks for persistence.

Malware families commonly create hidden scheduled tasks to relaunch payloads after reboot.

Enable Task Scheduler Logs

Navigate to:

Applications and Services Logs →
Microsoft →
Windows →
TaskScheduler →
Operational

Enable the operational log.

Important Event IDs

Event ID	Description
106	Task registered
140	Task updated
141	Task deleted

How to Enable Microsoft Defender Logs?

Microsoft Defender provides valuable malware telemetry even in environments using third-party antivirus solutions.

Navigate to Defender Logs

Applications and Services Logs →
Microsoft →
Windows →
Windows Defender →
Operational

Enable the log if disabled.

Important Defender Event IDs

Event ID	Description
1116	Malware detected
1117	Malware remediation
5007	Configuration changed

How to Enable Windows Firewall Logs?

Firewall logs help identify:

• Suspicious outbound traffic
• Command-and-control communication
• Blocked connections
• Lateral movement attempts

Enable Firewall Logging

Open:

wf.msc

Navigate to:

Windows Defender Firewall →
Properties →
Logging →
Customize

Enable:

• Log dropped packets
• Log successful connections

Firewall Log Default Location

C:\Windows\System32\LogFiles\Firewall\pfirewall.log

Windows Log Locations Cheat Sheet

Log Type	Location
Security Logs	C:\Windows\System32\winevt\Logs\Security.evtx
System Logs	C:\Windows\System32\winevt\Logs\System.evtx
Application Logs	C:\Windows\System32\winevt\Logs\Application.evtx
PowerShell Logs	C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
Sysmon Logs	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
Task Scheduler Logs	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
Defender Logs	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx
RDP Logs	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Firewall Logs	C:\Windows\System32\LogFiles\Firewall\pfirewall.log

Most Important Windows Event IDs Every SOC Analyst Should Know

Event ID	Description
4624	Successful login
4625	Failed login attempt
4672	Special privileges assigned
4688	Process creation
4698	Scheduled task created
7045	New service installed
4104	PowerShell execution
1116	Malware detected
5156	Windows Filtering Platform allowed connection

Expert SOC Analyst Tips

1. Increase Log Retention Size

Default Windows log sizes are often too small.

Attackers sometimes generate noise intentionally to overwrite old logs.

Increase log storage capacity in Event Viewer properties.

2. Forward Logs to a SIEM

Never rely only on local logs.

Forward logs to:

• Splunk
• Microsoft Sentinel
• Elastic Stack
• Graylog
• QRadar

3. Enable Command Line Logging

Enable process command-line auditing to capture malicious command execution.

4. Monitor PowerShell Aggressively

Most modern Windows malware abuses PowerShell.

PowerShell Event ID 4104 is one of the highest-value logs for threat hunting.

5. Deploy Sysmon Enterprise-Wide

Sysmon dramatically improves endpoint visibility.

Most mature SOC teams use customized Sysmon configurations.

Related Cybersecurity Topics You Should Explore

• Hackers Hate This Windows Firewall Log: How pfirewall.log Reveals Silent Attacks
  
• USB Devices Are Quietly Stealing Corporate Data — Event ID 2003 Exposes Everything
  
• Hackers Love PowerShell: How Event ID 4104 Exposes Stealth Windows Attacks
  
• Hackers Love Privileged Access: How Event ID 4672 Exposes Silent Windows Attacks
  
• Windows Event IDs 1116, 5025, and 5156 Could Reveal an Active Cyber Attack
  
• Hackers Love RDP: How SOC Teams Detect Suspicious Windows Remote Desktop Logins

FAQ

1. Are Windows logs enabled by default?

Some basic logs are enabled by default, but advanced security logging like PowerShell Script Block Logging and Sysmon must be manually configured.

2. What is the most important Windows Event ID?

Event ID 4688 (process creation) and 4104 (PowerShell execution) are extremely valuable for threat detection.

3. Can attackers delete Windows logs?

Yes. Attackers often clear logs using built-in Windows tools to hide evidence.

4. Why is Sysmon important?

Sysmon provides advanced visibility into processes, network activity, registry changes, and persistence techniques.

5. What log is best for ransomware detection?

PowerShell logs, Defender logs, Sysmon logs, and file modification monitoring are highly effective.

6. Where are Windows Event Logs stored?

Most logs are stored inside:

C:\Windows\System32\winevt\Logs\

7. Should small businesses enable advanced logging?

Absolutely. Small businesses are heavily targeted because many lack monitoring and detection capabilities.

Conclusion

Cybersecurity investigations are only as strong as the logs available.

In real-world incidents, defenders rarely say:

“We had too many logs.”

Instead, they usually say:

“We wish logging had been enabled earlier.”

Proper Windows logging transforms a blind environment into a visible one. It allows SOC teams to detect attacks faster, investigate incidents more accurately, and stop attackers before major damage occurs.

If you are serious about Windows security, threat hunting, malware detection, ransomware defense, or incident response, enabling these logs should be one of the first things you do today.

Because in cybersecurity, visibility is survival.