Operating system events are events that show system parameter modifications and important operations within Windows. Multiple important events that should be monitored may occur on the system. The list of such events is quite long, so here are examples of some of them:

• System startup/shutdown
• System setting changes, such as system time
• New scheduled task or service installation
• Changes in the local audit group policy settings

These and many other events might indicate anomalous activity. Some examples of such activities might be:

• Installation of a new service on a critical host
• Unexpected system restart
• Security event log erasure

Many system events, which are available for monitoring using the Windows security event log, are important and should be investigated if they occur.

This chapter contains information about different system events that might indicate anomalous activity performed on the system.

System Startup/Shutdown

System shutdown may be invoked using different methods:

• Normal shutdown by using internal APIs that require the SeShutdownPrivilege user privilege. SeShutdownPrivilege can be granted by the “Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system” group policy setting.
• Emergency shutdown by disabling the power supply

Normal shutdown can be successful, or it can be unsuccessful if someone tried to use SeShutdownPrivilege privilege without having it.