Audit Your Windows Event Logs For DCOM Hardening Errors
The Windows event log contains an extreme amount of data about the computer ranging from login data to errors generated on the computer. By default, Lansweeper will scan all the error events generated by the Windows computer. Additionally, you can enable scanning other event log information. These errors can be used to both discover and resolve issues on your computers, preventing downtime.
With Microsoft forcing DCOM hardening soon, it is important to ensure that all devices, services, and applications using DCOM will continue to work without issue. Using the Windows error events 10036, 10037, 10038, problems can be identified before DCOM hardening will be forced. The audit below provides an overview of all instances of event ID 10036, 10037, 10038 in the last 7 days. Read more about the DCOM hardening changes and the effect it can have on your IT environment in our DCOM Hardening pro tips blog post.
DCOM Hardening Error Events in the last 7 days Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysOS.OSname As OS, tblAssets.Lastseen, tblNtlog.TimeGenerated, tblNtlog.Eventcode, tblNtlogSource.Sourcename, tblNtlogMessage.Message From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID Inner Join tblNtlogSource On tblNtlogSource.SourcenameID = tblNtlog.SourcenameID Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Where tblNtlog.TimeGenerated > GetDate() - 7 And (tblNtlog.Eventcode = 10036 Or tblNtlog.Eventcode = 10037 Or tblNtlog.Eventcode = 10038 Or tblNtlog.Eventcode = 10028) And Case tblNtlog.Eventtype When 1 Then 'Error' When 2 Then 'Warning' When 3 Then 'Information' When 4 Then 'Security Audit Success' When 5 Then 'Security Audit Failure' End = 'Error' And tblState.Statename = 'Active' Order By tblNtlog.TimeGenerated Desc, tblAssets.Domain